TH 

63  17266 

f DUSTRY 


MILITARY, 


MISSILE 


"NAS  NORTH  ISLAND 
-SAN  DIES©*.  CALIFORNIA 


THE  OFFICE  OF  THE  DIRECTOR  OF  DEFENSE 
RESEARCH  AND  ENGINEERING 


BURE 


///2Sz? 


PREFACE 


The  enclosed  papers  are  those  presented  at  the  SEVENTH  MILITARY- INDUSTRY 
MISSILE  AND  SPACE  RELIABILITY  SYMPOSIUM  held  at  the  Naval  Air  Station,  North 
Island,  San  Diego,  California  on  18-21  June  1962. 

This  conference  was  sponsored  by  the  Office  of  the  Director  of  Defense 
Research  and  Engineering  in  cooperation  with  U.  S.  Army,  U.  S.  Air  Force, 

U.  S.  Navy  and  NASA.  The  Bureau  of  Naval  Weapons  acted  as  host  agency. 


1 


I 


J., 


• \'i  / ; 4 rrfW-0 

j •-<.«**  ,*  t--C  * ^ * •*! 

• • • : 

! * . i •*  . . .I'.;;’  '*•  * 4 v K 7J«  « i . . . >. 

. 

, ...  u vi  * * / * . * 


TABLE  OF  CONTENTS 


Page 

Keynote  Address — Management -Key  to  Accomplishment.  * .......  9 

General  B.  A,  Schriever,  USAF 
Commander,  Air  Force  Systems  Command 

Session  I 


Moderator  - J.  M,  Bridges 

Office  of  Defense  Director  Research  and  Engineering 


Specifying  Reliability  in  Military  Systems  Contracts , 13 

COL  R.  E.  Sims,  USAF 

Chief,  Technical  Requirements  Office 

Space  Systems  Division 

Procurement  Practices  for  Reliability 19 

COL  W.  W.  Thybony,  USA,  CASD  (i&L) 

Reliability  in  Specifications  for  Weapon  Systems  Design*  * * * * * 23 

A,  Brayner 

Martin  Marietta  Corporation 

Reliability  Prediction  Techniques * 33 


Dr*  G-  R*  Herd 

Boo % -Allen  Applied  Research,  Inc* 

Session  II 

Moderator  - J.  R.  Moore 

President,  Aviation  Autonetics  Division 

Design  Reliability  Measurement  and  Evaluation, 37  ^ 

W.  Sumer lin 

McDonnell  Aircraft  Corporation 

Service  Evaluation  of  Weapon  System  Reliability * 4 5 

CAPT  M.  Woods,  USN 

Operational  Test  and  Evaluation  Force 

Reliability  Techniques  in  Production.  * , 4? 

B,  Lubelsky 

Lockheed  Aircraft  Corporation 

Economic  Considerations  of  Reliability 51 

F.  E.  Wenger 

Air  Force  Systems  Command 

Reliability  Research  Needs 57  v 

E.  J.  Nucci 

Office  of  Defense  Director 
Research  and  Engineering 


3 


TABLE  OF  COWTEMS 


Session  III 

Moderator  - Major  General  W.  A-  Davis , USAF 
Commander,  Aeronautics  Systems  Division 

Lessons  from  the  Mod  IIIB  Verification  Program * + * . 

D.  B.  Christian 
General  Electric  Company 

The  Successful  Application  of  a Repeated  Test-to -Failure  Program 
on  Sergeant  Missile  Assemblies.  * * . . . 

R.  Bra  shear  and 
L.  Blundell 
Sperry  Utah  Company 

Method  for  Determining  the  Cost  of  Failures 

Dr.  D.  E.  Tijn 

AEIHC  Research  Corporation 

Results  of  a Test -to -Failure  Program  on  Electronic  Parts 

L.  M.  ST.  Martin 

General  Dynamics  Corporation 

Session  XV 

Moderator  - Hubert  M.  Drake 
NASA  Flight  Research  Center 

The  Human  as  a Missile  System  Component 

R-  F.  Chaillet  and 
A,  Steinberg 

AOMC } Huntsville,  Alabama 

The  Role  of  Human  Factors  in  White  Room  Manufacturing  Reliability.  . 

Dr.  E.  I.  Gavurin 
General  Electric  Company 

Resources  to  Support  a Man-Machine  System.  ............. 

Dr.  B.  W.  Pickrel 
Douglas  Aircraft  Corporation 
Dr.  W.  W.  Haythorn 
Rand  Corporation 

On  the  Application  of  Linear  Programming  Techniques  to  Human  Factors 
in  Space  Programs.  . 

P.  Young 

Sperry  Utah  Company 


Session  V 

Moderator  - Dr.  L.  S.  Gephart,  NASA 

Director,  Office  of  Reliability  and  Quality  Assurance 


Page 


6l 


69 


99 


111 


121 


125 


133 


l4l 


4 


TABLE  OP  CONTENTS 


Page 

Redundant  Adaptive  Flight  Control  Systems  as  Used  in  Space  Vehicles 1474— 

J,  N.  Mitchell 
A.  J,  Foreman 
Mi nneapol i s -Honeywell 
Regulator  Company 

SNAP  Reliability  Program.  . * 157 

C*  J.  Brous 

W.  R.  Vaughn 

Atomics  International 

Redundancy  and  its  Application  to  Analog  Circuit  Types  Project  Relay,  ....  179 

Ri  A,  Smith 

Radio  Corporation  of  America 

Predicting  Space  Mission  Success  Through  Time  Stress  Analysis.  , . 199 

I.  Boshay 
H.  L.  Shaken 

Aerojet  General  Corporation 
Session  VI 

Moderator  - RADM  M.  Reynolds  , USN 

Force  Material  and  Fleet  Readiness  Officer 

Reliability  Analysis  of  Redundancy  Mechanisms,  , , . . • , 227 

G,  Friedenreich 
N,  Lichter 

Grumman  Aircraft  Company 

Graphic  Solutions  of  Reliability  Logic  Equations 243 

W.  E,  Marshall 

Mi  nne  apoli  s -Ho  neywe  11 

Regulator  Company 

MTBF  Apportionment  in  Reliability  Control  of  the  Mauler  Design 251 

L,  R.  Doyon 
Raytheon  Company 

Reliability  Evaluation  and  Environmental  Testing  of  Printed-Wiring-Board 

Solder  Joints.  . . * . , 265 

M,  L,  Hinkle 

General  Electric  Company 

Experimental  Evaluation  of  Statistical  Predictions  of  Circuit  Performance.  , . 285 
M.  A*  Young 

International  Business  Machines 
Session  VII 


Moderator  - Brig,  Gen,  W.  Thames > USA 

Commanding  Officer,  General  ADVENT  Management  Agency 


5 


TABLE  OF  CONTENTS 


Page 


The  Specification  and  Assurance  of  Large  MTBF’s  Typical  of 
Spacecraft  Equipments * 

C.  C,  Petersen 
Motorola,  Inc. 

Reliability  Programs  for  11 LM  Systems 

Major  J.  R,  Barton,  USAF,  AFSC 

G,  H.  Allen,  AFSC 

Designing  Reliability  in  Spacecraft  Solar  Power  Supplies*  , 

I.  Doshay 
W.  F,  Emrich 

Aerojet  General  Corporation 
Air  Force  Space  Reliability  Program 

H.  Fritz 

Space  Systems  Division,  USAF 

Transit  Reliability * * * 

R*  W.  Cole 

Applied  Physics  Laboratory 
Johns  Hopkins  University 

Session  VIII 

Moderator  - RADM  K.  S*  Masterson,  XJSN 
Chief,  Bureau  of  Naval  Weapons 

Introduction  to  Bell  Telephone  Laboratory  Papers*  ***** 

The  Economics  of  a Reliable  System,  * * * * * 

L.  N.  St.  James 

Bell  Telephone  Laboratories 

System  Reliability  Estimation,  , * * * < 

L.  N.  St,  James 

Bell  Telephone  Laboratories 

System  Reliability  Evaluation  Testing,  * 

G,  A*  Schieser 

Bell  Telephone  Laboratories 

Confronting  the  Environment. 

T,  B.  Delchamps 

Bell  Telephone  Laboratories 

System  Reliability  Evaluation  from  Success  and  Failure  Data 

L.  N.  St,  James 

Bell  Telephone  Laboratories 


297 


303 


311 


321 


333  J 


339 

341 


355 


363?/ 


367 


6 


TABLE  OF  CONTENTS 


Page 

A Survey  of  Techniques  for  Analysis  and  Prediction  of  Equipment 

Reliability . 387 

H.  E.  Blanton 
Raytheon  Company 
R.  M.  Jacobs 
Sylvania  Corporation 

Hydraulic  Control  Reliability  in  Space  Vehicles.  .............. 

A.  B.  Billet 
VICKERS,  Incorporated 

Reliability  in  Procurement  on  F-1G5  Aircraft  Electronic  Systems 423 

C.  W.  Russell 

Republic  Aviation  Corporation 

Statistical  Methods  for  Reliability  Monitoring 44i 

N.  R.  Garmer 

Aerojet  General  Corporation 

Statistical-* Circuit  Analysis  in  Practice.  . . 447 

F.  A.  Applegate 
General  Electric  Company 

LIST  OF  CONFERENCE  ATTENDEES 463 


7 


KEYNOTE  ADDRESS  BY 
GENERAL  B.. -A.  SCHRIEVER 
SEVENTH  MILITARY-INDUSTRY  MISSILE  AND 
SPACE  RELIABILITY  SYMPOSIUM 
SAN  DIEGO,  CALIFORNIA 


MANAGEMENT  — THE  KEY  TO  ACCOMPLISHMENT 


It  gives  me  great  pleasure  to  be  with  you  this  morning.  The  symposium  this  week 
is  a welcome  chance  to  tackle  specific  reliability  problems — and  to  come  up  with  some 
solutions.  The  exchange  of  ideas  is  always  valuable,  and  I am  confident  this  meeting 
will  lead  to  even  greater  teamwork  between  military  and  industry  on  problems  of  mutual 
concern. 

I am  certain  that  I do  not  have  to  convince  you  of  the  importance  of  reliability. 

If  you  are  not  convinced  already,  no  words  of  mine  could  persuade  you.  Nevertheless, 
it  may  be  helpful  to  look  at  the  increasingly  urgent  requirements  for  dependability  in 
modern  aerospace  systems. 

In  recent  years  it  has  become  clear  that  performance  has  outstripped  reliability 
in  a number  of  areas.  This  imbalance  needs  to  be  corrected.  Overall  systems  effective- 
ness implies  considerably  more  than  performance.  In  the  past,  performance  has  received 
the  lion's  share  of  our  attention.  It  has  leaped  ahead  in  a spectacular  fashion,  while 
reliability  has  been  hidden  away  in  a lump  of  things  called  "just  good  engineering." 

But  as  our  missions  become  more  sophisticated  and  hardware  grows  more  complex, 
reliability  becomes  a primary  consideration.  It  becomes  a design  parameter  like  size, 
weight,  speed,  and  accuracy.  To  put  it  in  another  way,  we  do  not  consider  that  we 
have  a weapon  system — until  we  have  a reliable  one. 


FORGING  MILITARY  SPACEPOWER  


The  requirements  of  our  national  security  make  this  point  obvious.  In  a credible 
deterrent  force,  operational  readiness  is  fully  as  important  as  mission  profile 
capability.  We  can  make  predictions  of  probable  losses  due  to  enemy  action.  It  is 
equally  important  to  predict  probable  failures  due  to  unreliability. 

Reliability  problems  are  complicated  by  the  fact  that  missile  systems  must  not 
only  be  capable  of  long  storage;  they  must  also  be  capable  of  quick  response.  This 
combination  imposes  extremely  high  demands  for  reliability  in  systems,  sub-systems, 
and  components.  If  a missile  cannot  be  launched  when  it  is  needed,  then  we  would  be 
better  off  without  it. 

As  space  missions  become  a larger  part  of  our  program,  the  demand  for  reliability 
increases  at  a tremendous  rate.  Space  systems  are  growing  in  complexity.  They  are 
required  to  operate  in  a new  environment  which  we  have  yet  to  completely  understand. 
They  will  be  required  to  operate  for  exceedingly  long  time  periods  without  maintenance. 
We  must  approach  infinity  in  reliability  of  space  systems. 

Cost — in  both  time  and  money — is  also  a major  consideration.  The  failure  of  a 
single  component  does  not  affect  just  that  one  part.  It  may  cause  the  failure  of  an 
entire  system,  with  a resulting  loss  of  millions  of  dollars.  Moreover,  failures  at  a 
critical  point  in  development  can  cause  delays  of  weeks  or  months  in  a program  of  great 
national  importance.  For  manned  space  systems,  the  cost  of  unreliability  runs  even 
higher. 

All  of  these  factors  have  caused  U6  to  direct  our  attention  to  the  specific 
reliability  requirements  of  missile  and  space  systems.  We  can  no  longer  afford  to 
take  the  easy  view  that  reliability  is  something  that  "just  happens."  It  must  be 
planned  for  and  worked  for — in  a careful,  organized,  and  systematic  manner.  In  systems 
acquisition  today,  reliability  is  more  than  just  a technical  problem — it  is  a definite 
responsibility  of  management. 


9 


The  Air  Force,  which  is  a major  customer  for  missile  and  space  systems,  has  taken 
a number  of  specific  actions  to  improve  management  in  this  vital  area.  In  my  Command 
we  have  attacked  the  reliability  problem  on  a broad  front,  aiming  at  both  short  and 
long  term  solutions, 

A reliability  office  in  my  Headquarters  coordinates  our  efforts.  Similar  offices 
are  set  up  in  each  of  our  four  development  divisions  and  in  the  three  contract  manage- 
ment regions.  Representatives  from  each  of  these  offices  serve  on  our  Reliability  Task 
Force,  a group  established  more  than  two  years  ago  as  a focal  point  for  Command- wide 
action  in  this  area. 

The  basis  for  attack  on  unreliability  is  adequate  knowledge  by  management  of  the 
specific  problems  that  exist  in  each  stage  of  system  acquisition.  As  a means  of 
analyzing  the  progress  made  toward  establishing  goals,  we  publish  a semi-annual  "Reliabil- 
ity Status  Summary."  This  document  indicates  in  detail  the  problems  that  have  been  met 
in  our  many  programs,  and  the  actions  that  have  been  taken  to  solve  them* 

Our  third  step,  as  customers,  is  to  insure  the  greatest  possible  understanding 
between  the  Air  Force  and  industry  with  regard  to  specific  reliability  requirements. 

One  action  toward  improving  our  mutual  understanding  was  the  publication  of  Military 
Specification  MIL-R-S75^2,  "Reliability  Requirements  for  Aerospace  Systems,  Sub-systems, 
and  Equipments,"  This  replaces  several  earlier  documents  and  reduces  the  number  of 
reliability  specifications  now  in  effect.  It  is  now  a standard  section  in  all  new 
systems  contracts* 

A further  step  toward  defining  our  requirements  more  precisely  is  the  inclusion 
of  quantitative  reliability  figures  in  system  inception  documents--*  that  is,  Specific 
Operational  Requirements  (SOR's)  Operational  Support  Requirements  (OSR’s)  and  System 
Package  Plans,  last  January  I sent  a letter  to  our  four  development  divisions  directing 
that  "all  future  system©  contracts  specify  probability  of  mission  success  or  mean  times 
between  failures  as  requirements  in  quantitative  numerical  terms," 

This  use  of  specific  numerical  reliability  requirements  will  provide  a basis  for 
more  effective  controls  on  trade-offs  and  reliability  expenditures*  I am  convinced 
it  will  substantially  accelerate  our  progress  toward  systems  effectiveness* 

Looking  at  the  long  term  needs  in  the  reliability  field,  we  have  focussed  our 
attention  on  two  areas:  research,  and  increased  training  for  our  personnel.  We 

visualize  an  expanded  research  program  that  might  involve  the  outlay  of  several  million 
dollars  a year — and  bring  us  savings  of  many  times  that  amount.  It  would  provide  for 
investigation  of  a number  of  promising  areas,  such  as  development  of  better  reliability 
numerical  models  and  prediction  techniques;  study  of  accelerated  aging  and  non-destructive 
testing;  mathematical  simulation;  improvement  of  incipient  failure  detection;  and  study 
of  the  environment-reliability  relationship. 

The  adequate  training  of  personnel  is  just  as  important  as  increased  research. 

We  are  currently  taking  part  in  several  types  of  educational  programs*  Twenty- five 
U5AF  officers  are  enrolled  in  the  first  18 -month  graduate  course  at  the  Air  Force 
Institute  of  Technology  working  toward  a M.S,  degree  in  reliability  engineering. 

More  than  300  AFSC  personnel  have  completed  one-week  reliability  courses  sponsored 
by  professional  societies  and  non-profit  institutions.  Four  hundred  AFSC  and  AFLC 
personnel  have  taken  a three -week  course  in  reliability  that  has  been  established  by 
the  Air  Logistics  School  of  the  Air  Force  Institute  of  Technology, 

All  of  these  actions  are  directed  toward  improving  our  management  capability,  and 
I am  certain  they  will  pay  off  with  increased  reliability.  Already  we  have  seen  some 
highly  gratifying  results  of  concentration  in  this  area.  The  progress  of  the  Minutemn 
system  is  a good  example.  Luring  the  past  two  years  we  have  made  a sustained  effort 
to  bring  some  40  individual  electronic  components  for  Minuteman  to  an  entirely  new  level 
of  reliability.  The  result  has  been  an  increase  in  reliability  of  about  two  orders 
of  magnitude  in  these  components.  In  other  words,  on  the  average  they  are  about  a 100 
times  as  reliable  as  similar  components  of  two  years  ago* 


10 


In  the  Array  and,  the  Wavy  and  throughout  the  government  generally  there  1b  a 
similar  strengthening  of  reliability  management*  This  is  essential  in  acquiring 
the  kind  of  systems  we  need*  But  there  is  another  factor  that  is  equally  important 
to  progress  in  this  area.  This  might  be  called  a matter  of  attitude. 

In  this  connection,  two  points  need  to  be  stressed.  First  of  all,  there  seem 
to  be  no  theoretical  limits  on  reliability.  If  there  are  practical  limits,  we  have 
not  yet  reached  them — and  I would  not  like  to  predict  that  we  never  will.  We  are 
aware  of  apparent  limitations  today,  but  many  of  them  may  exist  only  in  our  imagi- 
nations.  In  recent  years  we  have  seen  the  solution  of  a variety  of  supposedly 
’'impossible1'  problems.  Management  must  never  rule  out  the  possibility  of  new  technical 
breakthroughs . 

A second  point  is  that  reliability  is  a basic  responsibility  of  management.  In 
this  respect,  management  needs  to  recognize  at  least  four  principles: 

(1)  Reliability  begins  with  initial  design, 

(2)  It  depends  on  aggressive  management  methods  of  controlling  the  reliability 
program, 

{3)  It  must  be  verified  by  a test  program  that  takes  into  account  the  complete 
operating  environment, 

(4)  It  cannot  be  separated  from  other  aspects  of  management  such  as  human 
engineering,  technical  training,  and  personnel  turnover. 

It  is  clear  that  we  can  greatly  improve  systems  re  liability^  if  we  want  to  badly 
enough  and  will  accept  our  management  responsibility.  Obviously,  there  will  always 
be  problems  when  we  are  operating  at  the  limits  of  technology.  But  the  presence  of 
problems  we  can’t  solve  should  never  stop  us  from  dealing  with  the  problems  we  can 
solve , 

I am  hopeful  that  this  symposium  will  have  two  results-  It  should  indicate  a 
number  of  the  long-term  reliability  considerations  that  will  concern  us  during  the 
next  years.  And  it  should  point  out  some  of  the  immediate  practical  steps  that  can 
be  taken  to  increase  reliability  at  this  time.  Both  results  will  contribute  to  our 
common  goal — the  acquisition  of  operational  systems  that  can  be  depended  upon  to  help 
insure  our  national  security  and  survival, 

I am  sure  you  will  have  a series  of  stimulating  and  fruitful  sessions. 

Thank  you. 


11 


SPECIFYING  RELIABILITY  IN  MILITARY  CONTRACTS 


Maj/Gen  0.  J.  Ritland 
Commander,  Space  Systems  Division 
Los  Angeles,  Calif. 


I am  grateful  for  this  opportunity  to  talk 
about  reliability  specifications.  It  is  a 
subject  of  paramount  importance  in  modern 
weaponry. 

The  results  we  have  experienced  in  pro- 
ducing reliable  military  systems  have  stemmed 
directly  from  the  decisions  made  and  support 
given  by  the  individuals  present  here  today. 

Yet  despite  significant  progress  in  the  past, 
we  still  have  ‘a  substantial  distance  to  travel 
in  reliability.  Of  this  you  are  well  aware. 
Therefore,  I will  not  dwell  on  the  importance 
of  reliability,  nor  direct  my  remarks  in  a 
motivational  vein.  Instead,  I should  like  to 
present  to  you  some  concrete  experience  of  the 
Air  Force  during  several  years  of  contracting 
for  reliability  in  ballistic  and  space  systems. 

Today,  I plan  to  discuss  the  following 
areas: 

Some  Basic  Reliability  Concepts 

Brief  History  of  Contractually  Specifying 
Reliability  Requirements 

Management  Requirements 

Quantitative  Requirements 

Control  of  Piece  Parts 

Current  Trends  in  Specifying  Reliability 
Requirements 

In  setting  the  stage,  I would  like  to 
consider  several  basic  reliability  concepts  of 
importance  to  my  subject.  These  are: 

First:  Reliability  is  one  of  the  major  system 

design  characteristics.  It  is  a character- 
istic which  must  permeate  all  technical,  cost, 
schedule,  or  other  management  considerations 
for  decision  making.  There  are  two  distinct 
complementary  methods  of  attaining  reliability; 
one  is  through  technical  development.  The 
other  is  through  management  control.  Relia- 
bility through  technical  development  begins 
with  design  assurance,  and  progresses  thru 
developmental  testing  and  measurement  to 
production  control  and  handling  and  packaging. 
As  an  area  of  management  control,  reliability 
is  attained  through  application  of  system  re- 
liability requirements  at  all  decision  making 
levels,  and  by  rigid,  uncompromising  en- 
forcement of  discipline  in  every  action  or 
decision. 


In  both  approaches  reliability  cannot  be 
left  to  chance.  It  can  only  be  assured  through 
a carefully  planned  and  executed  program.  It 
cannot  be  expected  from  some  significant 
scientific  or  engineering  breakthrough.  It 
will  be  accomplished  through  minute  and  met- 
iculous attention  to  detail. 

Second:  The  controls  exercised  over  the  selec- 

tion testing  and  use  of  piece  parts  are  pro- 
portional to  the  potential  for  reliability 
payoff. 

Third:  Successful  competition  for  military 

systems  contracts  will  be  increasingly  de- 
pendent upon  a firm's  demonstrated  capability 
to  produce  a reliable  product. 

Fourth;  Qualitative  superiority  is  the  key  to 
successful  exploitation  of  space. 

These  concepts  are  not  new  to  you.  Col- 
lectively we  have  been  on  a learning  curve  in 
the  field  of  missile  and  space  reliability. 

From  lessons  learned  over  the  past  five  or  six 
years  we  know  that  we  must  tailor  the  " design 
characteristic”  aspect  of  reliability  to  the 
performance  requirements  of  each  system  and 
then  provide  the  management  controls  to  attain 
these  requirements.  The  military  services 
recognized  the  need  to  specify  reliability 
requirements  in  contracts  as  early  as  1956. 

Early  requirements  were  in  the  form  of  clauses 
oriented  toward  the  technical  or  “design 
characteristic"  aspect  of  reliability.  One  of 
the  first  specifications  developed  and  issued 
by  the  military  was  MIL-R-25717  (USAF)  "Re- 
liability Assurance  Program  for  Electronic 
Equipment",  11  January  1959*  Subsequently, 
many  specifications,  bulletins,  and  exhibits 
were  published  by  the  services. 

As  we  moved  up  the  reliability  learning 
curve,  it  became  increasingly  apparent  that 
there  was  an  urgent  need  to  pull  together  the 
various  management  factors  into  an  integrated 
requirements  package.  One  of  the  first 
documents  developed  with  this  objective  in  mind 
was  Air  Force  Ballistic  Missile  Division  (AFBMD) 
Exhibit  58-10,  "Reliability  Program  fpr  Ballistic 
Missile  and  Space  Systems".  That  exhibit  was 
incorporated  into  Ballistic  Missile  and  Space 
Contracts  resulting  in  a significant  impact  on 
the  appropriate  segments  of  industry.  Shortly 
thereafter,  MIL-R-26674  (USAF)  "Reliability 
Requirements  for  Weapon  Systems",  18  June  1959, 
was  issued  by  Hq  ARDC.  This  paralleled  AFBMD 
Exhibit  58-10  and  was  applied  to  manned  air- 
craft systems. 


13 


Subsequently  the  best  features  of  these 
three  documents  were  incorporated  into  the 
current  specification,  MIL-R-27542,  "Relia- 
bility Program  Requirements  for  Aerospace 
Systems,  Subsystems,  and  Equipment  , 11  published 
in  June  of  ig6l. 

With  that  brief  outline  of  how  our  basic 
reliability  specification  was  developed,  let 
us  turn  to  some  of  the  more  significant 
management  aspects  of  an  adequate  reliability 
program. 

Some  of  the  most  formidable  problems  in 
the  production  of  reliable  systems  lie  in  the 
management  area.  An  axiom  long  recognized 
by  the  military  services  is  that  the  inherent 
reliability  of  design  represents  the  highest 
reliability  the  product  has  any  chance  of 
reaching.  Everything  that  happens  downstream 
of  design  release , with  the  exception  of 
design  changes,  tends  to  degrade  the  inherent 
reliability  of  design.  Therefore,  after 
initial  design  phase,  the  major  reliability 
effort  should  be  concentrated  in  prevention  of 
this  degradation.  The  reliability  effort 
should  be  organized  to  provide  all  the 
necessary  design,  service  and  staff  functions 
and  skills  to  minimize  the  degradation  that 
may  occur  during  materiel  procurement,  storage, 
issue,  manufacturing,  handling,  packaging  for 
shipment,  and  transportation  to  the  customer* 

All  of  the  major  functional  areas  just 
mentioned  are  assigned  line  responsibilities 
within  most  companies.  A legitimate  question 
might  be,  why  a reliability  organization? 

The  reason  is  obvious*  As  pointed  our  earlier, 
reliability  cannot  be  left  to  chance.  It  is  a 
fact  of  Military  and  Industrial  organizational 
life  that  many  groups,  whose  efforts  bear 
directly  upon  reliability,  do  not  possess  the 
necessary  authority  and  responsibility  to 
achieve  reliability.  Furthermore,  the  ever- 
present demands  for  more  effort  in  a shorter 
time  span  at  lower  costs  can,  and  often  do, 
influence  such  groups  to  slight  reliability 
considerations  — often  with  subsequent  costly 
results.  Unless  these  weaknesses  are  over- 
come, it  is  virtually  impossible  to  achieve 
the  required  level  of  reliability. 

MIL-R-27542,  mentioned  earlier,  estab- 
lishes minimum  requirements  that  must  be 
followed  in  planning  and  organizing  a relia- 
bility program.  Its  purpose  is  to  introduce 
and  maintain  management  visibility  into  the 
reliability  program  to  assure  that  contractual 
reliability  requirements  are  met.  Many  of  you 
are  familiar  with  this  document.  It  contains 
the  major  requirements  which  we  have  found 
essential  to  a well  conceived  reliability 
program. 


The  Design  Selection  Phase  of  this  document 
sets  forth  the  requirements  to  be  accomplished 
by  a prospective  contractor  in  developing  the 
reliability  portion  of  his  proposal.  Briefly, 
this  section  of  the  mil  spec  requires  estimates 
of  maximum  environmental  and  stress  conditions 
the  system  may  encounter.  This  estimate  is  to 
be  used  as  the  basis  for  a prediction  Of 
achievable  reliability  during  the  developmental 
period.  In  this  phase  anticipated  problem  areas 
should  be  identified  together  with  proposed 
approaches  to  their  solution.  A system  relia- 
bility model  with  appropriate  reliability  block 
diagrams  showing  the  apportionment  of  reliabil- 
ity over  the  major  subsystems  and  components  is 
also  required. 

The  prospective  contractor  must  also 
develop,  as  a separate  section  of  his  proposal, 
a description  of  the  reliability  program  to 
include  a detailed  listing  of  specific  tasks 
in  a form  that  permits  technical  auditing  by 
the  government.  It  is  intended  that  the  pro- 
gram plan  identify  the  organizational  elements 
responsible  to  management  for  the  reliability 
program  and  delineate  the  responsibilities  and 
authority  of  these  elements. 

Reliability  Program  Management  requires 
continuous  refinement.  The  actions  necessary 
for  complete  systems  planning,  management,  and 
engineering  must  be  explicitly  defined,  in- 
cluding the  programming  and  control  of  re- 
liability activities  and  a milestone  chart 
showing  the  timing  of  every  major  task.  Formal 
program  review  points  are  established  to  assure 
that  the  program  remains  adequate  and  that  all 
effort  affecting  reliability  is  accomplished 
as  planned. 

In  accordance  with  this  specification,  a 
reliability  program  activity  status  report  is 
required  at  intervals  not  to  exceed  three 
months.  The  information  submitted  will  be 
used  for  Air  Force  and  contractor  management 
review  and  program  control.  This  report  will 
contain  such  information  as  reliability  pre- 
dictions, status  and  results  of  design  reviews, 
actual  or  potential  problems,  pertinent  test 
results,  and  all  other  data,  as  mutually  agreed 
to,  that  would  aid  in  program  status  assess- 
ment. 

So  far  I have  discussed  the  Management 
Requirements  for  a Reliability  program.  I 
would  like  to  turn  now  to  a discussion  of  firm 
quantitative  requirements  and  demonstration 
procedures.  Measurement  of  any  parameter, 
whether  tangible  or  intangible,  requires  refer- 
ence to  some  standard  or  base*  This  applies  to 
reliability  just  as  it  does  to  any  other 
parameter.  Admittedly,  there  are  varying 
degrees  of  measurement  difficulty  and  relia- 


lh 


bility*  at  this  point  in  time*  lies  far  out 
on  the  scale  of  difficulty.  It  is  possible* 
however*  to  set  forth  a firm  engineering 
approach  to  this  measurement  problem. 

Until  we  learn  to  measure  or  evaluate 
required  reliability  efforts*  it  will  be 
difficult  realistically  to  assign  cost  to 
such  effort.  There  are  several  actions  that 
take  place  in  Air  Force  Procurement  Cycles 
which  require  the  utilization  of  quantitative 
expressions  for  reliability  requirements  as  a 
basis  for  evaluation.  These  actions  include 
cost  estimations*  analysis  of  competitive  bids* 
evaluation  of  proposals*  and  evaluation  of 
achieved  reliability  to  determine  that  contract- 
ual requirements  have  been  met.  However*  the 
most  significant  use  of  quantitative  require- 
ments is  in  the  early  design  considerations  of 
the  contractors’  engineering  efforts. 

The  design  groups  should  use  quantitative 
requirements  in  basic  design  considerations 
such  as  reliability  apportionment  and  pre- 
diction in  parts  selection*  and  in  establishing 
reliability  block  diagrams.  The  incorporation 
of  these  considerations  will  be  verified 
through  design  review  and  proven  through  the 
test  program. 

In  order  to  aid  industry  and  the  govern- 
ment in  the  proper  assessment  of  the  relia- 
bility effort*  we  have  been  specifying  quantita- 
tive reliability  in  contracts  for  some  time. 

This  is  the  base  against  which  achieved  re- 
liability is  measured.  We  believe  that  the 
AGREE  {Advisory  Group  on  Reliability  of 
Electronics  Equipment)  Committee  was  completely 
right  in  stating  that  the  best  way  to  arrive 
at  good  reliability  requirements  is  to  begin 
with  the  practice  of  specifying  quantitative 
reliability  requirements . 

When  quantitative  requirements  for 
reliability  are  specified  in  contracts*  we 
attempt  to  augment  these  requirements  with 
statistically  valid  demonstration  techniques 
as  warranted  by  the  circumstances  surrounding 
the  program.  We  realize*  however*  that  the 
number  of  deliverable  systems  on  some  programs 
is  insufficient  to  justify  a reliability 
testing  program  to  prove  statistically  that 
quantitative  requirements  have  been  met. 

Nevertheless*  we  specify  quantitative 
requirements  in  such  contracts  to  be  demon- 
strated by  alternate  methods  as  may  be 
mutually  agreed  to  by  the  Air  Force  and  the 
contractor.  For  example*  reliability  per- 
formance incentive  clauses*  where  such  per- 
formance alters  the  contractor’s  fee*  may  be 


tied  to  the  attainment  of  these  requirements. 

Some  other  alternate  approaches  to  reliability 
demonstration  include;  (a)  the  careful  and 
continuing  evaluation  of  the  design  selection* 
which  is  a major  basis  for  developing  confidence 
in  the  probability  of  the  system  meeting  its 
reliability  requirements;  and  (b)  insuring  every 
possible  use  of  the  available  test  data  from 
developmental  testing  to  determine  the  relia- 
bility of  the  system.  To  aid  in  this  evaluation* 
reliability  program  plans  must  contain  specific 
methods  for  implementing  and  documenting  the 
results  of  design  techniques  such  as  reliability 
apportionment*  safety  factor  analysis*  derating 
procedures*  redundancy*  failure  mode  identifi- 
cation and  identification  and  control  of 
critical  characteristics  of  critical  parts. 

We  expect  industry  to  conduct  system 
analysis  through  development  of  reliability 
block  diagrams*  reliability  predictions*  parts 
lists*  and  to  select  parts  carefully  based 
upon  such  analysis.  Contractors  should  perform 
environmental  tests  to  failure*  and  failure 
effect  analyses.  Also*  the  technique  of  design 
review  is  an  invaluable  aid. 

Another  necessary  management  tool  in 
achieving  reliability  is  a responsive  and 
effective  failure  correction  system. 

Industry  has  taken  the  lead  in  developing 
these  techniques.  We  anticipate  that  industry 
will  continue  to  refine  existing*  and  develop 
new  techniques  in  the  future  to  demonstrate  the 
capability  of  military  systems  to  meet  relia- 
bility requirements. 

In  the  specification  of  reliability  re- 
quirements* it  is  to  the  advantage  of  industry 
for  government  agencies  to  be  as  definitive  as 
possible.  It  is  our  objective  to  continue  to 
eliminate  vagueness  and  generality  from  re- 
liability requirements.  We  will  continue  to 
request  that  industry  does  the  same. 

Turning  now  to  another  important  relia- 
bility management  area*  one  of  the  most  for- 
midable challenges  to  management  is  effective 
controls  over  the  selection  and  application  of 
reliable  piece  parts.  The  Air  Force  has 
experienced  expensive  holds  during  countdown* 
aborts*  and  catastrophic  failures  traceable 
to  the  failure  or  malfunction  of  seemingly 
insignificant  piece  parts.  Items  such  as 
semi-conductors*  capacitors*  resistors*  valves* 
etc. , become  critical  when  incorporated  into 
components  which*  by  malfunctioning*  can  cause 
failure  or  serious  degradation  to  accomplish- 
ment of  flight  objectives.  This  problem  became 
so  acute  that  SSD  sent  a team  of  Reliability 


15 


personnel  out  to  review  the  reliability  work 
of  several  of  our  space  program  contractors* 

Some  significant  findings  resulted  from  that 
series  of  investigations. 

This  review  revealed  that  one  of  the 
primary  problems  in  this  area  is  the  lack  of 
adequate  piece  part  military  specifications 
for  the  space  environment*  Several  members  of 
industry , who  were  visited  by  the  team  had 
recognised  this  fact  and  were  either  augmenting 
test  and  inspection  requirements  in  current 
military  specifications  or  writing  their  own 
specifications . 

The  team  findings  in  this  area  merely 
eonfimed  that  of  other  groups  such  as  the  DOD 
Ad  Hoc  Group  on  11  Parts  Specification  Management 
for  Reliability" * 

There  is  a concerted  effort  under  way 
within  the  Air  Force  Systems  Command  to  bring 
this  parts  specification  problem  under  control. 
In  order  to  develop  a logical  approach  to  the 
problem,  an  AFSC  Parts  Improvement  Group 
composed  of  membership  from  AFSC  Divisions, 
has  been  formed  and  has  held  several  meetings. 
Recommendations  have  been  made  by  the  group, 
and  these  will  be  submitted  to  the  Aerospace 
Industries  Association  and  the  Electronic 
Industries  Association  for  evaluation  and 
comment  prior  to  further  action* 

Meanwhile,  in  order  to  effect  a more 
immediate  interim  solution  to  this  problem , the 
Mlnuteman  Parts  Working  Group  and  the  Space 
Parts  Working  Group  of  the  Ballistic  Systems 
Division  and  Space  Systems  Division*  respective- 
ly, is  rapidly  developing  certain  high  relia- 
bility parts  specifications  for  application 
to  Ballistic  Missile  and  Space  Systems* 
Appropriate  members  of  industry  are  participat- 
ing in  this  effort  with  the  Air  Force,  and  we 
hope  to  have  the  first  of  these  Hi-Rel  specs 
available  by  July  1962. 

In  addition  to  inadequate  specifications, 
the  reliability  survey  team  found  several 
management  weaknesses  which,  as  corrected,  would 
significantly  improve  the  piece  part  selection, 
application  and  control  areas*  Typical  re- 
commendations for  improvement  are  the  follow- 
ing: 

First:  Each  company  should  maintain  a central 

standards  group  charged  with  the  responsibility 
for  keeping  abreast  of  the  parts  field,  and  for 
providing  assistance  to  the  designers  in  the 
selection  and  application  of  parts  within  their 
systems.  Without  such  centralized  control, 
indiscriminent  or  uninformed  selection  and 
application  of  parts  is  inevitable. 


Second:  The  reliability  group  should  be  a 

party  to  the  selection  of  piece  part  vendors 
supplying  critical  parts.  The  advice  and 
assistance  of  the  standards  group,  the  re- 
liability group  and  the  design  group  should  he 
sought  in  establishing  the  criteria  for 
receiving  inspection  and  test  of  piece  parts. 
Suppliers  of  critical  piece  parts  should  be  the 
subject  of  recurring  source  inspections  to 
assure  that  the  system  of  controls  in  the  man- 
ufacture of  such  parts  are  maintained  consistent 
with  the  reliability  requirements  of  the  system 
in  which  the  parts  are  to  be  used,  and  to  assure 
that  no  changes  in  design  or  manufacturing 
processes  are  made  without  adequate  notification. 

Third:  There  should  be  an  integrated  and 

effective  failure  reporting,  analysis  and  closed- 
loop  corrective  action  system  to  assure  that, 
when  failures  occur,  the  cause  is  determined 
and  corrective  action  is  Immediately  taken  to 
preclude  recurrence.  This  corrective  action 
system  should  be  established  to  fit  the  needs 
of  both  the  quality  and  the  reliability  effort - 

Fourth:  Critical  parts  handling  is  a subject 

of  increasing  importance.  All  contractors  must 
develop  parts  handling  methods  consistent  with 
the  reliability  requirements  of  the  parts. 

The  foregoing  comments  on  piece  parts  have 
emphasised  the  term  "Critical  Part. 11  In  view 
of  the  tremendous  number  of  parts  employed  in 
today T s system,  we  believe  that  the  most 
practical  approach  to  control  of  these  parts 
Is  to  identify  parts  in  the  system  where  the 
application  of  the  part  is  critical  to  the 
proper  perfomnance  of  the  overall  system.  After 
parts  for  critical  applications  have  been 
identified,  they  should  be  managed  in  a manner 
consistent  with  the  criticality- 

In  this  regard  the  Space  Systems  Division 
is  now  requiring,  on  new  contracts,  that  the 
contractor  compile  a list  of  critical  parts 
within  the  system  together  with  his  methods 
of  control  of  such  parts  and  a submission  of 
this  list  to  the  appropriate  systems  program 
office  for  review. 

At  this  time  I would  like  to  mention  some 
relatively  new  contract  requirements  for  re- 
liability that  the  Air  Force  Is  either  employing 
or  considering  for  inclusion  in  future  contracts* 

Participation  in  the  Inter service  Data 
Exchange  Program  (IDEP)  has,  in  the  past,  been 
voluntary  on  the  part  of  industry.  The  benefits 
that  have  been  derived  from  this  program  through 
elimination  of  duplicate  testing  have  been 
significant.  The  Space  Systems  Division  is  now 
planning  to  require  contractors  to  participate 


in  IDEP  on  a mandatory  basis.  In  addition* 

IDEP  is  being  expanded  through  a system  called 
FIDEP  (Preliminary  Interservice  Data  Exchange 
Program)*  This  will  require  contractors  to 
report  their  plans  for  testing  with  the 
objective  of  reducing  duplicate  test  planning 
efforts* 

The  Space  Systems  Division  and  Ballistic 
Missile  Division  have  recently  developed*  and 
are  now  placing  in  contracts,,  an  exhibit  which 
supplements  the  standard  quality  control 
specification  MIL-Q-985®*  This  standard 
quality  requirements  while  suitable  for  many 
procurements*  was  found  to  be  too  general  in 
some  areas  to  provide  the  kind  of  specific 
direction  to  industry  which  is  required  on 
Aerospace  Systems. 

The  supplementary  exhibit  (OCAS  Exhibit 
62-10)  is  being  placed  on  new  contracts  within 
SSD.  Among  other  things*  it  requires  that  the 
contractors  engineering  and  design  groups 
classify  inspection  characteristics  and  place 
the  classifications  on  the  drawings.  This 
procedure  requires  the  designer  to  determine 
the  critical*  major  and  minor  characteristics 
of  the  design* 

The  philosophy  behind  this  requirement  is 
that  the  most  knowledgeable  individual  with 
respect  to  a particular  design  is  the  designer 
himself*  He*  therefore*  should  be  the  individu 
al  to  identify  the  critical  characteristics  of 
critical  parts  for  manufacturing*  inspection 
and  handling*  This  classification  of  character 
istics  procedure  can  result  in  considerable 
dollar  savings  through  reduction  of  scrap* 
rework*  inspection*  and  manufacturing  effort 
during  the  manufacturing  cycle. 

In  conclusion*  through  the  collective 
efforts  of  the  military  services  and  industry* 
we  have  made  significant  strides  in  fielding 
reliable  systems.  The  performance  requirements 
and  operational  environments  of  tomorrow1  s 
systems  will  require  greater  strides.  We  must 
be  continually  aware  of  system  reliability 
requirements  and  reflect  this  awareness  in 
every  technical*  cost*  time*  or  other  manage- 
ment decision. 


Thank  you. 


PROCUREMENT  PRACTICES  FOR  RELIABILITY 


William  W*  Thybony,  Colonel,  U.  S.  A* 

Office  of  the  Assistant  Secretary  of  Defense  (l&L) 
Washington,  D,  C* 


Introduction 

M>re  than  ever  before  the  absolute  necess- 
ity for  acquiring  highly  reliable  weapons  and 
equipment  is  being  recognized  in  both  Government 
and  Industry.  As  to  Defense  procurement  prac- 
tices having  a direct  bearing  on  quality  and  re- 
liability, there  have  been  several  major  develop- 
ments ■within  the  past  few  months* 

Notably  among  these  are  the  positive 
actions  being  taken  to  reduce  cost -plus -fixed- 
fee  contracts,  to  increase  the  use  of  Incentive 
type  contracts,  and  to  further  emphasize  value 
engineering*  As  a result,  our  ability  to  con- 
tract for  reliable  equipment  has  improved  consid- 
erably* 

These  efforts  have  been  motivated  and  are 
fully  supported  by  Secretary  of  Defense  McNamara; 
the  Deputy  Secretary,  Mr*  Gilpatric;  and  Assis- 
tant Secretaries  of  Defense  Thomas  D,  Morris  and 
John  H*  Rubel,  as  well  as  all  other  top  Defense 
officials  involved  in  this  field* 

In  June  of  1961,  before  the  NSIA  Joint 
Industry— Defense  Department  Symposium  on  "The 
Profit  Motive  and  Cost  Reduction, 11  Mr.  Morris, 

The  Assistant  Secretary  of  Defense  (installa- 
tions and  Logistics)  stated: 

"I  feel  it  is  mandatory  that  we 
increase  our  use  of  all  our  present 
incentive  type  contracts*  There  are 
very  few  situations  in  which  there  Is 
not  an  opportunity  to  employ  either 
performance  incentives,  value  engi- 
neering or  a combination  of  these  * * * 

In  addition  to  more  enphasis  on  price 
analysis,  we  must  sharpen  our  ability 
to  differentiate  between  good  and  bad 
work*  There  are  several  measurable 
yardsticks  which  should  be  readily 
apparent- -meeting  schedules,  quality 
and  reliability  of  the  product,  seeur- 
ing  competition  In  purchasing,  emphasis 
on  value  engineering,  past  performance 
on  other  contracts,11 

Since  that  time  the  Armed  Services  Procure- 
ment Regulation  has  been  reworked  to  change  the 
emphasis  on  the  selection  and  use  of  the  various 
types  of  contracts  employed  by  the  Department  of 
Defense.  By  this  effort,  we  hope  to  improve  the 
quality  and  reliability  of  Defense  material,  as 
well  as  reducing  overall  costs. 


Background 

The  character  of  defense  procurement  has 
been  changing,  bringing  with  it  corresponding 
changes  in  defense  industries*  While  our  funds 
for  weapons  have  continued  at  a very  high  level, 
these  funds  have  not  been  used  generally  for 
high  volume  production  of  weapons.  An  increas- 
ing proportion  is  going  into  research,  develop- 
ment and  prototype  testing*  New  weapons  and 
weapons  systems  are  fewer,  more  complicated  and 
costly  with  no  assurance  of  large  scale  produc- 
tion* Follow-on  production  contracts  are  not 
as  plentiful  as  heretofore.  These  conditions 
have  noticeably  affected  the  nature  of  our  con- 
tracting and  industrial  profit  opportunities. 

Trends  in  the  usage  of  the  various  types 
of  contracts  for  the  last  eleven  fiscal  years 
show  a drastic  decline  in  the  percentage  of 
Defense  business  done  under  contracts  involving 
substantial  pricing  risks.  Since  1951,  the 
percentage  of  our  procurement  dollars  In  cost- 
plus- fixed- fee  contracts  has  risen  from  13  per- 
cent to  39  percent,  as  fixed-price  contracts 
declined  proportionately  from  78  percent  to  V7 
percent*  This  means  that  we  are  currently 
feeding  approximately  $10  billion  a year  Into 
the  defense  industrial  community  under  cost-plus- 
fixed-fee  contractual  arrangements  that  do  not 
discriminate  in  terms  of  final  profits,  between 
good  performance  and  bad,  between  early  success- 
ful accomplishment  and  protracted  failure,  be- 
tween tight  management  control  of  costs  and 
waste.  Under  cost-plus-fixed-fee  contracts,  the 
profit  is  fixed  at  the  outset  and  does  not  vary 
by  the  quality  of  performance.  In  addition, 
under  some  of  the  earlier  "Incentive"  contracts, 
the  profit  swing  was  frequently  on  too  narrow  a 
scale,  for  Instance,  from  a minimum  of  6 percent 
to  a maximum  of  8 percent  * We  believe  In  such 
contracts,  as  In  CFFF  contracts,  we  have  been 
providing  too  little  incentive  to  give  any  real 
encouragement  for  cost  control,  efficiency,  per- 
formance and  reliability. 

Objectives 

Our  aim  is  to  create  and  sustain  a high 
level  of  military  procurement  efficiency,  and 
cause  the  same  improvements  to  be  brought  about 
in  Industry*  To  achieve  this  end  we  plan  to 
reduce  to  a minimum  our  use  of  cost -plus -fixed- 
fee  contracts,  and  to  substitute  contracts 
which  provide  more  motivation  for  developing  or 
producing  weapons  of  good  performance  and  high 


19 


reliability,  for  early  completion  and  for  very 
close  cost  control*  Obviously,  as  we  move 
through  the  cycle  of  initial  development,  test, 
early  production,  and  volume  production,  the 
importance  of  various  motivating  factors  will 
vary  and,  accordingly,  the  contract  types  will 
vary. 

It  is  our  belief  that,  for  each  of  the 
various  objectives  we  seek  to  accomplish,  there 
must  be  available  a wide  range  of  profits  from 
very  low — in  some  cases,  undoubtedly,  losses — 
to  quite  high,  so  that  the  distinction  between 
very  good,  and  very  bad  performance  can  be  reward- 
ed or  penalised  sufficiently  to  require  the  most 
intensive  management  attention*  By  providing 
this  range  of  possible  profits  we  seek  to  induce 
reductions  in  cost  and  improved  performance  that 
would  completely  outweigh,  as  an  advantage  to 
the  Government,  any  amounts  by  which  overall 
profits  may  he  affected. 

There  is  no  question  in  our  minds  as  to  the 
difficulties  to  be  encountered  in  this  multi- 
measurement  approach  to  incentives.  Foremost 
among  these  is  the  task  of  deriving  realistic 
standards  of  measurement.  Technical  requirements 
will  have  to  be  examined  in  terms  of  precise 
specification  of  reliability  levels  and  agreed 
formulas  developed  for  measuring  and  computing 
achievements, 

ASOFR  Changes 

At  this  time,  we  are  not  introducing  any 
new  types  of  contracts.  However,  pursuant  to 
the  foregoing  comments,  we  have  made  the  follow- 
ing specific  changes  in  the  Armed  Services  Pro- 
curement Regulation; 

1*  We  are  encouraging  a much  wider  use  of 
firm  fixed-price  contracts*  In  the 
past  we  have  tended  to  use  such  con- 
tracts only  when  we  had  extensive  com- 
petition or  we  knew  from  past  experience 
what  the  costs  of  performance  would  be 
within  very  narrow  limits.  In  the 
future  we  expect  to  use  the  firm  fixed- 
price  contract  whenever  we  are  sure 
that  we  can  identify  the  cost  risks  or 
contingencies  with  considerable  accuracy 
and  can  assure  a reasonable  sharing  of 
such  risks  between  the  Government  and 
the  contractor.  Contracts  of  this  type, 
involving  as  they  do  the  greatest  risks 
and  the  greatest  Incentives  for  coat 
reduction,  can  be  expected  to  produce 
the  widest  range  of  profits  and  losses* 
This  wide  spread  of  profits  is  the 
normal  result  of  the  extensive  use  of 
fixed-price  contracts  and  should  not  be 
of  concern  unless  the  average  profit 
rate  gets  too  high* 


2*  We  are  eliminating  virtually  all 
fixed-price  re  determinable  contract 
types  where  the  price  can  be  set  after 
all  or  a portion  of  performance,  and 
such  price  covers  work  already  done  at 
the  time  it  was  fixed.  Such  retro- 
active pricing  arrangements  encourage 
high  costs  up  to  the  point  of  final 
pricing  since  the  higher  the  costs  at 
that  point  the  higher  the  final  price 
is  likely  to  be* 

f , L 

3.  To  re-emphasize,  we  are  seeking  a 
drastic  reduction  in  our  use  of  cost- 
plus -fixed-fee  contracts.  We  hope 
that  we  can  largely  confine  the  use 
of  this  type  of  contract  to  research 
studies  and  other  contractual  situa- 
tions where  our  objectives  cannot  be 
closely  defined.  Most  important,  we 
hope  that  our  large  weapons  develop- 
ment work,  most  of  which  has,  in  the 
past,  been  done  tinder  CPFF  contracts, 
can,  in  the  future,  be  done  under  some 
type  of  incentive  contract* 

4,  As  stated,  we  are  seeking  a great  in- 
crease in  our  use  of  incentive  con- 
tracts--a  far  wider  spread,  both  up 
and  down,  in  potential  profit  ranges 
in  such  contracts  as  an  inducement  to 
better  management  efforts,  and  a very 
rapid  extension  of  our  Incentives  to 
matters  relating  to  the  quality  of 
weapons,  performance  and  the  timeliness 
of  contract  completion,  as  well  as  to 
purely  cost  control  matters,  with 
which  our  past  usage  of  incentives  has 
been  principally  concerned* 

Incentive  Contracting 

In  negotiating  incentive  contracts  it  is 
necessary.  In  each  instance,  to  determine 
specifically  what  phases  of  contractor  perfor- 
mance are  Important  to  us*  We  must  then  ascribe 
to  such  factors  sufficient  weight,  by  which  we 
mean  a sufficient  proportion  of  the  total  profit 
swing,  so  that  those  things  which  are  very 
important  receive  the  greatest  inducement  for 
good  performance  and  those  which  are  of  lesser 
Importance  receive  a lesser  inducement.  The 
incentive  feature  should  reflect  a balancing  of 
the  various  characteristics  which  together 
account  for  overall  performance,  so  that  no  one 
characteristic  will  be  exaggerated  to  the 
detriment  Of  the  end  item  as  a whole.  At  the 
beginning  of  the  cycle  of  a new  major  weapon 
development  we  would  normally  be  most  concerned 
with  assuring  that  the  weapon  being  developed 
would  perform  in  the  manner  we  required.  If 
this  were  a new  missile,  for  instance,  we  would 
be  most  concerned  with  such  factors  as  range. 


20 


payload,  accuracy,  and  reliability,  We  might 
ascribe  one-half  of  the  profit  swing  to  such 
factors.  Secondarily,  because  of  the  necessity 
for  time-phasing  this  weapon  with  our  own  other 
weapons  and  with  those  of  potential  enemies,  we 
would  be  concerned  with  the  time  of  successful 
completion  of  development.  We  might  ascribe 
one-third  of  the  profit  swing  to  this  factor. 

At  this  stage  we  might  ascribe  only  one- sixth 
of  the  profit  swing  to  the  factor  of  cost  con- 
trol on  the  theory  that  extreme  attempts  at  cost 
savings  at  the  very  early  stage  of  the  develop- 
ment of  a new  weapon  may  deteriorate  the  quality 
of  the  weapon. 

Later  in  the  development  cycle  of  the  same 
weapon,  say  after  we  had  achieved  the  requisite 
performance  characteristics  and  were  producing 
for  an  extensive  operational  and  testing  program, 
we  might  want  to  reward  performance  improvements 
such  as  improved  reliability,  continue  to  provide 
some  reward  for  timely  performance,  but  give  far 
heavier  weight  for  close  control  of  costs. 

Finally,  when  all  performance  goals  were 
assured  on  a production  basis,  and  we  had 
similar  assurance  of  timeliness  of  deliveries, 
we  would  be  concerned  only  with  improvements  in 
cost  control.  This  could  be  accomplished  either 
by  a wide-ranging  cost  reduction  incentive,  or 
by  a firm  fixed-price  contract. 

As  a highly  important  feature  of  this  pro- 
gram, we  will  require,  wherever  possible  in 
development  programs,  for  more  precise  determin- 
ations on  the  part  of  the  military  departments 
of  desired  performance  objectives  and  schedules 
of  completion.  As  a result,  we  should  be  able 
to  make  such  desired  objectives  known  to  prospec- 
tive contractors  in  advance  of  source  selection 
by  including  them  in  Requests  for  Proposals. 

Then  performance  and  schedule  completion  targets 
proposed  by  each  prospective  contractor,  to- 
gether with  the  estimated  cost,  will  be  consider- 
ed in  the  evaluation  and  selection  of  the 
successful  contractor. 

We  expect  many  advantages  to  accrue  from 
this  arrangement  since  it  will  permit  the  nego- 
tiation of  targets  and  incentive  patterns  into 
the  contract  while  competitive  proposals  are 
still  available.  In  other  words,  the  individual 
incentive  proposals  will  be  a major  factor  in 
the  competitive  selection  of  the  successful  con- 
tractor. Thereafter  his  proposal  (as  it  may  be 
modified  in  negotiation)  will  be  the  basis  for 
the  contractual  incentive  provisions,  and  will 
govern  the  profit  ultimately  earned. 

Thus  it  will  be  seen  that  contractors  sub- 
mitting unduly  conversative  proposals,  or 
targets  which  involve  little  or  no  risk,  will 
endanger  their  competitive  position  and,  hence, 


the  likelihood  of  their  getting  the  award. 
Conversely,  if  contractors  are  unduly  optimistic 
in  their  promises  they  will  be  in  danger  of 
being  awarded  a contract  at  a very  low  profit 
or  a loss.  As  a result,  we  expect  that  these 
arrangements  will  compel  more  care  and  integrity 
in  the  preparation  and  submission  of  proposals 
for  development  contracts.  The  use  of  this 
technique  will  be  extended  as  rapidly  as  poss- 
ible to  a large  number  of  weapons  development 
situations.  It  should  substantially  increase 
the  objectivity  of  development  contractor 
selection  and  should  somewhat  simplify  the  pro- 
cedure of  negotiating  targets. 

In  cost-plus-incentive-fee  contracts,  we 
have  eliminated  the  administrative  ceiling  on 
maximum  fee  (currently  ten  percent  for  research 
and  development  contracts),  making  it  possible 
for  full  use  of  the  fee  range  up  to  the  statu- 
tory limitation  of  fifteen  percent. 

We  will  strive  to  make  our  negotiations  of 
targets  and  sharing  formulas  as  precise  and 
carefully  analytical  as  is  possible.  The  pro- 
blem of  negotiation  of  targets  is  basically  no 
different  than  the  negotiation  of  the  price  of 
any  other  type  of  contract,  although  more 
difficulties  may  be  anticipated.  The  hazards, 
that  is  to  say  the  pricing  risks,  to  both  the 
Government  and  the  contractor  are  less  in  in- 
centive contracts  than  in  firm-fixed-price  con- 
tracts, but  greater  than  in  cost-plus-fixed-fee 
contracts.  These  risks  provide  the  motivation 
for  better  performance.  There  is  no  question, 
however,  that  the  negotiation  of  realistic 
targets,  based  on  full  disclosure  of  accurate 
and  current  data,  is  essential  in  incentive 
contracts.  We  believe  more  intensive  efforts 
must  be  undertaken,  by  both  Government  and 
Industry,  to  develop  better  estimating  techniques 
and  systems  for  measuring  accomplishments.  We 
believe  further  that  increased  use  of  incentive 
contracts  will  be  an  inducement  to  that  end. 

Value  Engineering 

In  the  near  future  we  will  be  issuing  a 
policy  encouraging  the  increased  use  of  value 
engineering  techniques  and  will  provide  standard 
contract  clauses  for  this  purpose.  Through  this 
new  emphasis  we  plan  to  incorporate  incentives 
for  contractors  to  appraise  intensively  products 
purchased  by  the  Government  under  specifications 
and  to  develop  and  recommend  changes  in  specifi- 
cations which  will  enable  them  to  be  produced 
at  a measurable  savings  in  cost  without  adverse- 
ly affecting  the  required  performance,  quality, 
maintainability,  standardization,  and  inter- 
changeability as  determined  by  the  Government. 

We  are  speaking  of  changes  in  specifications 
which  include,  among  others,  the  deletion  of 
requirements  found  to  be  in  excess  of  actual 


21 


needs  as  to  materials,  material  processes,  toler- 
ances, components,  testing  requirements  and 
testing  procedures.  To  motivate  the  contractor 
to  develop  and  submit  cost  savings  proposals, 
value  engineering  incentives  will  provide  for 
the  contractor  to  share  in  the  estimated  con- 
tract cost  reduction  resulting  from  a specifi- 
cation change  proposed  by  the  contractor  and 
accepted  by  the  Government.  Through  value  en- 
gineering we  expect  to  wed  technical  skill  to 
cost  sensitivity. 


Conclusion 

In  summary,  we  have  launched  a contractual 
system  which  rewards  risk  taking,  efficiency 
and  the  surpassing  of  performance  and  reliability 
goals.  After  coordination  with  many  industry 
associations,  we  are  certain  they  agree  with  our 
incentive  contracting  philosophy,  and  that  we 
can  depend  on  their  support.  Progress  will  de- 
pend on  the  acceptability  of  incentive  contracts 
by  individual  firms.  It  is  imperative  that 
adequate  understanding  be  developed,  and  that 
the  details  of  the  program  and  its  objectives  be 
adequately  communicated  to  the  individuals  who 
will  be  directly  involved,  both  in  and  outside 
of  Government. 

We  believe  the  tools  for  doing  a better 
job  are  now  at  hand.  It  behooves  all  of  us  to 
use  them. 


22 


RE  LIABILITY  SPECIFICATIONS  AND  THEIR  EFFECTS 


A.  H.  Drayner 

Martin  Company  General  Offices 
Friendship  International  Airport,  Maryland 


Summary.  This  paper  covers  in  brief  form  the 
currently  significant  reliability  specifications,  and 
includes  a reliability  specification  "tree"  for  ready 
reference  * Management  requirements  for  effectively 
complying  with  these  documents  are  discussed,  and 
one  multi -Division  systems  manufacturer's  organiza- 
tion for  reliability  management  is  briefly  described . 
Cost  implications  of  reliability  specifications,  as 
well  as  reliability  considerations  of  incentive -fee 
contracts  are  mentioned  and  several  of  the  current 
reliability  management  problems  in  these  areas  are 
reviewed . 

Introduction 

For  purposes  of  discussion,  a specification  is 
conveniently  defined  as:  MA  formalized  system  of 
documentation,  usually  relating  to  details  of  work  to 
be  performed  under  a contract. " In  the  United  States, 
military  specifications  have  apparently  been  around 
for  a long  time;  for  example,  in  a recent  paper  1, 
there  was  included  a reproduction  of  a cannon  ball 
specification  issued  one  hundred  and  sixty -three 
years  ago  (incidentally,  people  were  not  as  techni- 
cally ignorant  then  as  one  might  think:  in  this  partic- 
ular specification,  there  are  numerical  test  require- 
ments for  material  elastic  limit,  tensile  strength, 
elongation  after  rupture,  and  test  specimen  area  re- 
duction) , It  is  not  recorded  whether  the  cannon  ball 
specification  was  ever  cancelled , Since  that  time 
military  specifications  have  proliferated  in  great 
number,  their  rate  of  preparation  being  greatest 
since  the  second  World  War. 

Reliability  inclusion  in  specifications  dates  from 
the  early  1950's  and  again,  the  growth  in  numbers 
has  been  great.  Data  in  this  area  may  be  found  in 
a remarkably  complete  history  of  reliability  that  is 
contained  in  a recent  paper  by  C . M . Ryerson, 
covering  many  of  the  early  documents  in  the  field^. 

Gamut  of  Specifications 

It  has  been  said  that  there  are  currently  approx!  - 
mately  twenty  -eight  hundred  cubic  feet  of  Govern  - 
ment  specifications  extant  (accumulation,  one  copy 
each)  , Naturally,  these  cover  a range  of  topics  from 
"A-Napthol"  (a  chemical  reagent)  to  "X-Ray  Labora- 
tory s' ’ (procedures  for  certification  of)*  across  ail 


Government  activities , 

Specifications  appear  under  many  names  and 
forms.  In  addition  to  pure  specifications,  there  are 
also  standards,  specification  bulletins,  exhibits, 
technical  reports,  notebooks,  handbooks,  guides, 
even  contract  appendices , all  of  which  fail  under  the 
above  definition. 

Additionally,  there  are  a body  of  intimately  re- 
lated regulatory  and  directive  documents.  Publi- 
cations such  as  Air  Force  Regulations,  Special 
Aeronautical  Requirements,  and  the  Armed  Services 
Procurement  Regulations  are  very  important  in  our 
business,  but  relatively  unknown  to  many  reliability 
organizations . 

To  reduce  quantity  and  increase  acceptability  of 
documentation,  elements  of  industry  are  continually 
working  closely  with  the  Services  in  specification 
development  and  review . Every  trade  association 
with  technical  activities,  and  most  technical  soci- 
eties, have  significant  specification  committees  in 
fields  related  to  their  interests.  Many  of  the  aero- 
space companies  also  directly  contribute  the  time 
of  specialists  to  Government  agencies  on  particular 
tasks , 

There  are,  as  well,  moves  within  the  Government 
to  reduce  the  quantity  and  increase  the  quality  of 
specifications  in  specific  areas.  As  an  example,  the 
280  or  so  specifications  and  standards  for  prepara- 
tion of  technical  manuals  are  being  reduced  to 
approximately  40  in  a determined  effort  by  the 
Defense  Supply  Management  Agency,  Standardization 
Division . 

Reliability  Specifications 

Here,  too,  we  have  an  embarrassment  of  riches. 
Tiie  re  are  in  excess  of  two  hundred  identifiable 
Government  specifications  and  documents  related  to 
the  establishment  and  support  of  reliability  require- 
ments , 

In  the  type  of  business  in  which  the  Martin 
Company  is  engaged  we  are  concerned,  essentially 
daily,  with  about  one  hundred  of  these  specifications. 
They  are  noted  and  categorized  in  figure  1 . 


23 


In  addition,  in  common  with  other  Aerospace 
companies,  we  deal  with  a number  of  special 
” interpretive"  reliability  specifications  aimed 
directly  at  such  programs  as  GEMINI,  TITAN, 
PERSHING,  BULLPUP,  etc. 

It  is  interesting  in  the  examination  of  a chart  such 
as  this,  to  note  the  "inversion’ ‘phenomenon  — such 
tremendous  general  specifications  as  MIL -W  -9411, 
MIL-E-8189,  MIL-E-5400,  and  MIL-E -16400  become 
"support"  documents  when  a reliability  specifications 
analyst  views  the  situation! 

Because  of  the  wide-spread  use  of  the  cited  docu- 
ments in  our  diversified  activities,  our  Contract 
Technical  Requirements  sections  prepare  abstracts 
of  the  most  significant  specifications,  from  which 
concerned  personnel  can  quickly  extract  pertinent 
information.  The  data  so  abstracted  is  not  meant  to 
be  particularly  interpretive,  but  readily  provides 
program  planning  data  for  people  concerned  with  the 
broad  aspects  of  projects. 

Major  Reliability  Specifications 

First,  and  most  important  to  most  of  us,  is  the 
systems  type  reliability  specification.  Perhaps  the 
best  current  example  of  this  is  MI L-R -27542,  which 
replaced  three  other  large  specifications;  MIL-R- 
26674,  MIL-R -25717,  and  AFBM  Exhibit  58-10. 

These  major  documents  are  truly  omnibus  specifi- 
cations, almost  suitable  for  text  book  use.  They 
cover  in  reasonable  depth  the  thirty  or  more  elements 
of  a complete  reliability  program,  including  reporting 
systems  and  methods  of  analysis.  (In  the  case  of 
MIL-R -27542,  the  sequence  of  its  sections  is  not  one 
that  a program  plan  should  necessarily  follow,  but 
most  of  the  information  is  there) . 

MIL-R-27542  (USAF)  establishes  requirements  for 
an  organized  reliability  program  to  assure  attain- 
ment of  contractual  requirements  at  a specified  time 
for  a complete  system  and  its  sub-systems,  including 
requirements  for  collection  and  reporting  of  consid- 
erable reliability  data.  General  requirements  on  the 
systems  contractor  are: 

1 . Development  of  a complete  reliability  program 
based  on  eight  fundamental  principles; 

2.  Continuous  program  review  at  preplanned 
steps; 

3 . Continuous  reliability  training  for  all 
personnel  who  contribute  to  product 
reliability; 

4.  Responsibility  for  subcontractors'  and 
suppliers'  reliability  programs; 

5.  Inclusion  of  reliability  principles  in  design, 
with  seventeen  examples  included; 


6 . Establishment  of  specifications  and  standards 
for  use  in  manufacturing  and  inspection, 
including  classification  of  characteristics; 

7.  Conducting  of  design  reviews,  with  approval 
of  reliability  organization  required  prior  to 
design  finalization; 

8 . Conducting  of  development  testing  for 
estimation  of  reliability  in  accordance  with 
MIL-R -26667; 

9 . Demonstration  of  achieved  reliability  in 
accordance  with  customer  approved  plans; 

10.  Collection,  summarization,  and  submittal  of 
many  types  of  data  throughout  the  program . 

The  complete  framework  for  satisfying  the 
requirements  of  MIL -27542  must  be  included  in  the 
proposal  prior  to  award  of  contract,  including  spe- 
cific tasks  and  procedures  for  implementation  and 
control,  and  predictions  of  reliability  based  on 
estimated  environmental  and  stress  conditions. 

MIL -STD -441  (POD)  is  specifically  concerned  with 
electronics  equipment,  and  is  unique  in  being  a De- 
partment of  Defense  document  rather  than  a single 
service  output.  It  is  mandatory  for  use  by  the 
military  Departments.  It  emphasizes: 

1.  Analysis  of  feasibility  during  "Phase  I",  with 
extensive  utilization  of  parts  failure  rate  data . 
It  assumes  an  exponential  distribution  of 
failures  and  requires  investigations  and 
allocations  to  the  parts  level . 

2.  Prototype  construction  and  extensive  test 
evaluations  during  a "Phase  II"  . A major 
report  is  required  at  the  end  of  this  phase 
that  provides  detailed  information  covering 
eleven  general  consideration  areas. 

3.  Selection  and  application  of  standard  circuits 
and  parts.  It  controls  utilization  of  non- 
standard items  through  strong  approval  re- 
quirements. 

Equipment  and  Sub -system  Reliability  Specifications 

The  next  level  of  documents  in  this  rather  arbi- 
trary breakdown  covers  reliability  in  design,  devel- 
opment, and  production  of  equipments  and  sub- 
systems. These  seven  important  specifications  are 
particularized  from  the  equipment  class  point  of  view, 
and  in  addition,  some  are  phase -related  to  develop- 
ment or  production. 

MIL-R-27070(USAF)  provides  general  reliability 
procedures  and  criteria  for  initial  development  of 
ground  electronic  equipment,  and  details  minimum 
reliability  requirements  to  be  demonstrated  if  this 
is  not  covered  in  the  detail  equipment  specification 
or  contract.  It  requires  tests  to  demonstrate 


24 


achievement  of  specified  reliability  at  a confidence 
level  of  90%  as  well  as  continuous  analytical  esti- 
mates. Since  both  MIL -R -26484  (USAF)  and  MIL- 
R-27173  (USAF)  cover  much  of  the  same  material, 
this  particular  document  appears  to  be  redundant. 

MIL -R -27 173  (USAF)  is  applicable  to  research 
and  development  contracts  and  details  the  minimum 
requirements  to  assure  design  and  manufacture  of 
reliable  ground  electronic  checkout  equipment.  If 
not  called  out  otherwise,  it  requires  a mean -time  - 
between -failure  (MTBF)  of  300  hours  for  checkout 
equipment  or  500  hours  for  major  sub -systems  and 
assemblies . Demonstration  of  compliance  is  re  - 
quired  by  tests  on  at  least  two  items,  and  test  time 
must  be  at  least  three  times  the  specified  MTBF . 
Extensive  documentation  and  approval  procedures 
are  established. 

MIL -R -26484  (USAF)  covers  minimum  require  - 
ments  and  procedures  for  reliability  that  must  be 
followed  during  research  and  development  of  elec- 
tronic sub -systems  or  individual  equipments.  This 
specification  is  based  largely  on  MIL -STD -441,  and 
requires  at  least  three  times  the  specified  MTBF  in 
demonstration  testing,  utilizing  a cycle  that  includes 
five  types  of  multiple  environments.  Also,  unless 
otherwise  specified,  it  requires  a 3000  hour  minimum 
operating  life  with  reasonable  servicing,  and  a test  on 
at  least  two  equipments  for  the  specified  longevity 
time  using  the  MTBF  test  and  cycling.  Extensive 
documentation  and  approval  requirements  are 
established. 

MIL  -R-26474  (USAF)  is  based  on  MIL -STD -441 
and  is  aimed  at  production  ground  electronic  equip- 
ment. It  requres  a detailed  reliability  program 
consistent  with  this  specification  and  MIL -STD -441. 

It  requires  preproduction  and  production  reliability 
tests  on  randomly  selected  samples  of  equipment 
that  have  passed  all  acceptance  tests.  Iterative 
reliability  analyses  and  estimates  throughout  the 
program  are  required  in  addition  to  other  reliability 
documentation.  The  test  requirements  of  this  spec- 
ification are  in  conflict  with  MIL -R -26667  (USAF) 

" Demonstration  Requirements”  and  negotiators 
should  examine  this  carefully. 

MIL-R-19610  (WEPS)  outlines  minimum  require- 
ments for  production  electronic  equipment.  It 
establishes  several  levels  of  reliability  based  on 
hours  of  operation  and  failure  criteria.  It  requires 
a plan  for  maintaining  equipment  quality,  and  the 
contractor  must  establish  costs  involved,  above 
’’normal”  quality  control  costs,  to  comply  with  this 
specification  prior  to  award  of  contract.  A group 
of  tests  are  specified  in  lieu  of  acceptance  tests 
required  in  the  detail  equipment  specification,  plus 


life  tests  on  equipment  selected  by  the  Government 
Inspector,  based  on  MIL-T-18303  as  a guide.  There 
have  been  numerous  detailed  objections  to  this  docu- 
ment and  its  use  should  be  carefully  evaluated. 

MIL-R-22256  (WEPS)  outlines  procedures  to  en- 
sure high  inherent  reliability  in  the  design  and  de- 
velopment of  electronic  equipment  or  systems 
planned  for  production.  It  requires  a thorou^i  re- 
liability program  (15  areas  of  activity  are  discussed) 
extending  through  to  completion  of  model  evaluation . 
Demonstrations  for  reliability  or  longevity  are  not 
required  but  several  environmental  tests  are  speci- 
fied. Phase  I reports  in  accordance  with  MIL -STD - 
441  are  required,  as  well  as  preliminary  and  final 
Phase  II  reports.  Reports  on  study,  design  plan- 
ning, reliability  calculations,  tests  of  detail  parts, 
subassemblies,  and  circuits  are  required. 

MIL-R-22732  (SHIPS)  prescribes  procedures  for 
establishing  and  verifying  reliability  requirements 
for  preproduction  and  production  ground  and  ship- 
board electronic  equipment.  It  requires  a relia- 
bility assurance  plan,  calculation  of  MTBF  per 
NAVSHIPS -93820,  and  reliability  analyses  with  pro- 
posals for  redesign  as  necessary.  Tests  of  several 
classes  are  covered,  plus  production  reliability  in- 
spections and  failure  reporting  systems.  Content, 
timing  and  format  of  numerous  reports  require  defin- 
itization. 

Auxiliary  Reliability  Specifications 

Next  in  order  of  significance,  and  probably  the 
documents  that  create  more  argument  than  any  others, 
are  the  ”How  To  Do  It”  back-ups  for  the  major  relia- 
bility specifications.  Such  publications  as  MIL-R- 
26667  (USAF)  and  MIL -STD -756  (WEPS)  are  included 
in  this  group  which  covers  monitoring  methods, 
organization,  demonstration  requirements,  defini- 
tions and  prediction -assurance -measurement  tech- 
niques in  considerable  detail.  Several  cf  these  docu- 
ments were  originally  resisted  vigorously  by  some 
aerospace  contractors  because  of  their  definity  and 
their  requirement  for  particular  types  of  organiza- 
tions and  methods , As  educational  and  guidance 
material  they  provide  a splendid  source  of  informa- 
tion, even  when  not  contractually  required. 

The  three  ’’levels”  of  reliability  specifications 
discussed  briefly  above  represent  seventeen  active 
documents,  plus  the  Naval  Weapon  Systems  document 
which  had  not  been  coordinated  at  time  of  this  writ- 
ing. It  is  instructive  to  note  that  most  of  these  spec- 
ifications are  aimed  at  electronic  systems.  With 
few  exceptions,  all  of  the  techniques  employed  in 
current  reliability  technology  were  developed  around 
electronic  systems  requirements. 


25 


In  addition  to  the  pure  reliability  documents  there 
are  dozens  of  other  specifications,  each  important 
in  its  own  right*  These  " support11  documents 
(Figure  1)  are  often  key  specifications  in  other  fields, 
but  are  related  to  reliability  efforts  in  many  ways* 
For  example,  it  is  not  possible  to  develop  and  de- 
liver reliable  equipment  without  taking  into  full 
account  such  auxiliary  disciplines  as  maintainability, 
human  factors,  training,  quality  control  practices, 
and  proven  packaging  techniques  * Also,  some  of  the 
system  specifications  themselves  contain  reliability 
sections* 

Reference  Documents 

Among  the  most  interesting  of  what  we  have 
chosen  to  call  the  " support"  documents  are  the 
"reference"  publications,  some  of  which  are  even 
good  reading!  They  cover  a melange  of  things,  and 
are  in  some  cases  mutually  contradictory*  It  is  in- 
formative to  note  that  several  are  actually  re-writes 
of  each  other,  to  suit  the  purposes  of  individual 
services.  Also,  the  term  "reference  document" 
may  be  misleading,  since  some  of  these  are  often 
called  out  in  contracts*  In  many  ways,  these  publi- 
cations provide  both  a history  of  reliability  engi- 
neering and  an  indication  of  its  current  status  * 

Three  having  the  most  general  significance  are 
d i s cu  ss  ed  in  s ucc  e e ding  para  graph  s * 

Giant  among  these  publications  is  the  report  of 
the  Advisory  Group  on  Reliability  of  Electronic 
Equipment  (AGREE).  This  document  was  issued  in 
June  of  1957,  andis  often  considered  to  be  the  foun- 
tain head  of  our  modem  reliability  specifications  * 

The  nine  task  groups  of  AGREE  expanded  on  the 
work  of  die  older  Research  and  Development  Board's 
"Ad  Hoc  Group  on  Reliability  of  Electronic  Equip- 
ment" and  really  formalized  and  correlated  the 
manifold  disciplines  of  reliability  engineering  for 
die  first  time*  Implementation  of  die  AGREE  test 
procedures  has  had  excellent  results  in  the  develop- 
ment and  production  of  reliable  electronic  equipment. 

Another  publication  of  fundamental  significance  is 
the  report  of  the  Ad  Hoc  study  group  on  Parts  Speci  - 
fications  Management  for  Reliability  (PSMR-l).  This 
is  a two  -volume  document  issued  in  July  of  1960 
(since  the  40  man  group  was  headed  by  Paul  Darnell 
of  die  Bell  Telephone  Laboratories  it  is  often  re- 
ferred to  as  "The  Darnell  Report")*  The  task  was 
an  outgrowth  of  recommendations  from  AGREE  Task 
Group  V * The  report  confines  itself  to  electronic 
parts  and  recommends  basic  changes  in  Government 
organization  in  the  parts  specifications  area  plus 
fundamental  changes  in  methods  of  preparing  parts 
specifications  to  include  reliability  requirements  and 
demonstration  methods. 


The  sweeping  recommendations  of  PSMR  -1  will 
take  considerable  time  for  full  implementation. 
Significant  initial  reactions  are: 

1 * Changes  are  being  made  in  Chapter  V of 

Standardization  Manual  M -200  (a  guide  on  how 
to  write  specifications)  * These  are  being 
promulgated  rapidly  to  provide  a body  of 
instructions  on  how  to  write  reliability  speci  - 
fications  for  parts  hi  general  accordance  with 
PSMR-1* 

2.  The  Quality  Control  and  Reliability  Division 
of  the  Office  of  the  Assistant  Secretary  of 
Defense  (Installations  and  Logistics)  has  pre- 
pared and  is  currently  coordinating  a manual 
to  supplement  Chapter  V of  M-200*  It  is 
called  "Manual  of  Instructions  for  Incorpo- 
rating Multi  -level  Reliability  Requirements 
into  Parts  Specifications"* 

3.  The  Armed  Services  Electro  Standards 
Agency  (AS ESA)  has  been  moved  organiza- 
tionally and  physically  to  report  to  the  Defense 
Supply  Agency  in  Dayton,  Ohio. 

4.  The  Space  Parts  Working  Group,  under  Air 
Force  guidance,  is  doing  an  excellent  job  in 
coordination  of  contractor  approaches  to 
reliable  parts  specifications  and  procure- 
ment* 

5*  Many  aerospace  companies  and  their  vendors 
are  currently  preparing  specifications  and 
procuring  and  producing  hardware  to  the 
PSMR-1  conditions*  It  is  already  apparent 
that  die  military -industry  teamwork  ex  - 
hibited by  diis  particular  adventure  is  show- 
ing big  bonuses  for  reliability  and  for  the 
nation* 

The  Interservice  Data  Exchange  Program  docu- 
ments, IDEP-1  and  IDEP -2,  are  currently  highly 
important  to  all  of  us , This  system  is  a growing 
monster,  but  a benevolent  and  useful  one.  Emi- 
nently practical,  IDEP's  key  job  of  exchanging 
relevent  parts  test  information  between  contractors 
engaged  in  ballistic  missile  programs  is  based  on 
two  elements:  a simple  yet  complete  summary 
format  and  a rapid -response  handling  and  distri- 
bution system  * Current  efforts  to  firmly  tie  this 
program  into  all  contracts  must  be  very  carefully 
examined.  As  a matter  of  firm  policy  we  participate 
actively  in  IDEP  across  the  Martin  Company. 
Naturally,  we  would  not  object  vigorously  to  con- 
tractual coverage  for  tills  program  but  we  would  like 
to  be  assured  such  coverage  will  not  complicate  the 
system  and  slow  its  response  by  treatment  in  com  - 
mon  with  other  contractual  data  requirements  — 

DD  -250  forms  and  Government  representative  review 
functions,  for  example,  might  seriously  reduce  the 
current  efficiency  of  IDEP* 


26 


A Few  Words  on  Contracts 

On  15  March  of  this  year,  the  eighth  revision  to 
the  Armed  Services  Procurement  Regulations  (ASPR) 
was  issued  affecting  the  contracts  section  * It  is 
clear  from  this  revision  that  there  is  a definite  move 
towards  cost -plus -incentive -fee  and  fixed -price  - 
incentive -fee  contracts  in  our  business. 

It  is  also  clear  that  reliability  engineers  must 
examine  this  situation  in  detail,  A significant 
portion  of  the  postulated  incentive  fees  (which  can  be 
either  positive  or  negative)  will  be  based  on  die  dem- 
onstrated reliability  of  delivered  hardware . 

The  following  are  significant  quotes  from  ASPR, 
Revision  8: 

1 , "The  objective  (of  incentive  contracts)  should 
be  to  insure  that  outstandingly  effective  and 
economical  performance  is  met  by  high  pro- 
fits, mediocre  performance  by  mediocre 
profits,  and  poor  performance  by  low  profits 
or  losses" , 

2,  " the  contract  type  selected  should  pro- 

vide  for  a profit  factor  that  will  tie  profits 
to  the  contractor's  efficiency  in  controlling 
costs  and  meeting  desired  standards  of  per- 
formance, reliability,  quality,  and  delivery. " 

3,  "The  introduction  of  incentives  into  develop- 
ment is  of  such  compelling  importance  that, 
to  the  extent  practical,  firms  not  willing  to 
negotiate  appropriate  incentive  provisions 
may  be  excluded  from  consideration  for  the 
award  of  development  contracts*" 

4 * (Under  cost  -plus  -incentive  -fee  contract 
description)  "The  provision  for  increase  or 
decrease  in  the  fee  is  designed  to  provide 
incentive  for  maximum  effort  on  the  part  of 
the  contractor  to  manage  the  contract  effec- 
tively" (underlining is  the  author's). 

Reliability  engineers  will  be  compelled  to  work 
directly  with  contracts,  legal,  and  financial  person- 
nel, Therefore,  it  behooves  reliability  personnel 
to  learn  the  language  and  special  problems  of  the 
people  with  whom  they  must  deal.  There  is  no 
longer  a place,  if  there  ever  was,  for  the  reliability 
man  who  is  continually  unhappy  because  other  ele- 
ments of  an  organization  do  not  understand  him  and 
refuse  to  learn  his  language;  now,  reliability  people 
must  learn  the  language  of  management  and  join  the 
team , 

With  sub -systems  or  components,  when  design 
and  utilization  is  relatively  simple,  it  is  sometimes 
economically  feasible  to  develop  reliability  demon- 
stration programs  that  will  provide  statistically  and 


legally  valid  proof  of  goal  achievement  within  a 
narrow  confidence  band.  However,  when  it  becomes 
necessary  to  combine  probability  information  from 
sub-system  tests  to  provide,  for  example,  reliability 
"numbers"  for  a large  weapon  system,  the  techni- 
ques for  arriving  at  confidence  intervals  are  so 
controversial  that  non -technical  people  could  be- 
come very  confused. 

It  seems,  then,  that  the  necessary  approach  for 
large  missile  systems  will  be  one  of  developing 
contractually  acceptable  demonstration  plans  based 
on  "yes  or  no"  situations  to  complement,  not  replace, 
the  engineering  statistics  approach , Such  situations 
might  be  — a date  met  or  not,  a review  held  or  not, 
a test  passed  or  not,  a countdown  sequence  completed 
with  no  more  than  a "par  value"  number  of  holds, 
successful  mission  completion  — in  short,  the  kinds 
of  data  that  will  hold  up  (if  needs  be)  in  a court  of 
law  . Probabilistic  numbers  or  gambling  odds  do  not 
seem  to  fit  here;  too  many  people  have  heard  of  the 
book  by  Darrel  Huff  and  Irving  Dels  titled  "How  to 
Lie  with  Statistics" ! Accomplishment  of  the  intended 
mission  is  the  real  concern  of  the  customer,  and 
decisions  on  degree  of  accomplishment  will  not  be 
limited  to  engineering  reviews  alone  when  incentive 
fees  are  involved. 

Management  Considerations 

Fundamental  to  the  establishment  of  any 
channelized  type  of  activity  is  detailed  organization, 
not  only  of  people  and  facilities,  hut  also  of  concepts. 
The  ciimate  induced  by  reliability  specifications 
constantly  reinforces  this  statement. 

In  a broad  field  such  as  reliability  engineering, 
it  is  essential  that  strong  interest  and  leadership 
be  evidenced  by  top  management  in  an  organization. 
The  necessity  for  this  becomes  clear  when  it  is 
realized  that,  while  reliability  is  fundamentally  an 
engineering  discipline,  its  span  of  influence  cuts 
across  all  departmental  functions* 

In  multi -division  multi -customer  companies  it  is 
basic  that  operating  methods  be  mutually  compatible 
to  facilitate  inter -division  assistance  on  major  pro- 
grams. Reliability  policies  and  practices  must  be 
in  reasonable  accord,  and  this  generates  a require- 
ment for  corporate  staff  direction  in  this  a^ea . 

Within  the  boundary  conditions  of  customer  re- 
quirements and  company  policies  and  procedures, 
an  individual  project  must  be  allowed  to  organize 
its  reliability  effort  for  greatest  effectiveness  on 
its  particular  product.  The  working  relationships 
of  the  project  reliability  organization  relative  to 
engineering,  manufacturing,  quality  control. 


27 


material,  and  logistics  support  functions  must  be 
clearly  defined  by  management  directives,  and 
monitored  by  a central  reliability  operation  for 
effectiveness . 

While  this  is  admittedly  a very  much  simplified 
treatment  of  a complex  subject,  the  following  points 
are  salient: 

1.  Leadership  and  guidance,  in  written  directive 
form,  must  be  provided  at  company  executive 
level,  and  repeated  in  particularized  form  by 
successive  echelons  of  management. 

2 . Directive  documents  must  cover  not  only  the 
obvious  engineering  responsibilities  for 
reliability,  but  also  the  concomitant  respon- 
sibilities of  the  other  industrial  functions . 

3 . Audit  and  review  activities  for  the  measure- 
ment of  reliability  organizational  system 
effectiveness  must  be  continuous . 

4 . The  overall  reliability  plan  must  be  kept 
sufficiently  flexible  to  accommodate  changes 
in  customer  direction  or  state-of-the-art  on 
short  notice. 

5.  Management  direction  must  be  strong  enough, 
and  consistent  enough,  to  assure  that  a 
mutually  conformant  reliability  posture  is 
assumed  by  all  company  elements. 

Martin  Company  Approach 

In  giving  emphasis  to  the  subject  of  reliability, 
the  Martin  Company  in  common  with  other  aero  - 
space  corporations  has  evolved  specific  manage- 
ment structures  and  philosophies . The  task  facing 
us  is  typical  among  the  multi -division  multi  - 
customer  aerospace  corporations.  Our  solution 
is  somewhat  unique  in  that  we  have  become  fairly 
well  projectized  within  each  operating  Division, 
and  are  utilizing  a variation  of  what  the  Harvard 
Business  School  calls  the  ”bi  -lateral  line”  type  of 
organization,  from  Company  headquarters  down. 
Since  some  of  the  projects  within  each  of  our 
Divisions  are  organized  very  much  as  a small 
company  is,  our  major  tasks  become  (1)  maintaining 
the  inherent  flexibility  and  discipline  of  a small 
company,  while  (2)  realizing  the  benefits  of  the 
tremendous  resources  and  technical  cross  fertili- 
zation influences  that  only  a large  company  can  pro- 
vide. We  believe  this  has  been  effectively  accom- 
plished in  all  areas,  including  reliability. 

Reliability  Policy  and  Direction 

Reliability  leadership  and  guidance  in  Martin 
begins  at  the  ’’top”  with  a headquarters  office  staff 
function . Full  written  authority  in  the  reliability 
area  is  granted  by  the  President  to  the  Vice  Pres- 


ident-Engineering. A portion  of  the  applicable 
section  of  this  authority  reads  as  follows:  ” — the 
establishment  of  criteria  for  and  control  of  reliability, 
maintainability,  and  training  for  use  and  service  of 
aerospace  division  (Martin  Company)  products  and 
the  development  of  procedures  and  measures  of  per- 
formance concerning  these  activities  ---is  hereby 
vested  in  the  Vice  President -Engineering.” 

The  relevant  portion  of  this  basic  charter  is 
implemented  by  the  Director  of  Reliability,  who 
serves  on  the  staff  of  the  Vice  President -Engineering. 
He  is  responsible  for  generation  of  reliability  policy 
and  direction  across  the  several  divisions  of  the 
Martin  Company,  assisted  by  the  company  Manager 
of  Reliability  Systems. 

In  addition  to  the  general  delegation  from  the 
President  to  the  Vice  President -Engineering,  there 
is  also  a specific  Policy  Directive  on  product  relia- 
bility issued  by  the  President.  Supporting  this  is  a 
product  reliability  program  Operating  Instruction 
issued  by  the  Vice  President -Engineering  which  de- 
fines the  scope  of  activity  of  the  Director  of  Relia- 
bility and  establishes  requirements  on  the  operating 
Divisions.  Other  headquarters  Operating  Instruction 
documents  in  this  area  cover  such  things  as  the 
Inter  division  Reliability  Committee,  across  the  board 
participation  in  the  Inter  service  Data  Exchange  Pro- 
gram, and  definitive  procedures  for  establishing  and 
conducting  design  reviews.  Similar  sets  of  operating 
instructions  and  policy  documents  cover  the  areas  of 
standardization,  maintainability,  engineering  facili - 
ties,  etc.  Utilizing  these  documents  to  establish 
boundary  conditions,  the  operating  Divisions,  and  the 
programs  within  the  Divisions,  establish  their  oper- 
ating instructions  and  organization  structure,  modi- 
fied if  necessary  to  fit  the  special  requirements  of 
each  customer. 

The  Director  of  Reliability  guides  the  preparation 
of  reliability  portions  of  major  proposals  and  the 
establishment  of  reliability  programs  on  projects 
within  the  Divisions . In  maintaining  active  cogni- 
zance of  the  projects,  the  Director  of  Reliability 
assures  that  the  policies  of  the  Company  are  imple- 
mented, and  provides  a direct  channel  of  communi- 
cation to  top  management. 

Figure  No.  2 shows  an  example  of  the  overall 
reliability  organization  bridging  from  headquarters 
to  an  active  project  within  the  Space  Systems  Division 
of  the  Company  (one  of  our  Baltimore  -area  Divisions) . 
The  Director  of  Engineering  of  the  Division  acts  for 
the  Vice  President/General  Manager  on  all  reliability 
matters . His  authority  is  delegated  to  the  Chief 
Reliability  Engineer  who  is  responsible  for  estab- 
lishing and  implementing  Space  Systems  Division 


28 


reliability  policy  (within  the  framework  of  Martin 
Company  policy) , for  adequacy  of  reliability  portions 
of  proposals,  for  adequacy  of  reliability  programs  on 
active  projects,  for  the  development  of  methods  and 
procedures,  and  for  acquiring  and  training  reliability 
personnel  to  man  the  active  projects . He  also  pro  - 
vides  cross -feeding  of  information  and  techniques 
between  projects  and  a direct  channel  of  communi- 
cation to  Division  management  and  the  company 
Director  of  Reliability. 

Each  active  project  within  the  Space  Systems 
Division  is  headed  by  a Program  Director  who  re- 
ports to  the  Division  Vice  President/General  Manager. 
The  project  is  staffed  with  personnel  from  functional 
departments,  such  as  manufacturing,  quality,  and 
engineering.  The  project  engineering  activity  is 
headed  by  an  Engineering  Technical  Director,  acting 
for  the  Division  Director  of  Engineering  on  the  pro- 
ject. In  most  cases  we  set  up  an  Assistant  Technical 
Director  for  reliability  to  manage  the  line  reliability 
activities  on  the  program.  In  special  circumstances, 
such  as  on  an  integration  program  or  a systems 
manager  project,  a special  Reliability  Program  Office 
is  established,  under  the  direct  supervision  of  the 
Program  Director. 

Complementary  Activities 

There  are  a number  of  essential  activities  that 
complement  those  of  a pure  reliability  engineering 
nature . Paramount  among  these  are  engineering 
standardization,  specifications  control,  field  support 
engineering,  and  data  systems . 

Each  of  the  noted  functions  is  headed  in  Martin 
by  company  headquarters  Directors  who  operate  in 
much  the  same  fashion  as  the  Director  of  Reliability. 

When  a great  deal  of  detailed  work  must  be 
accomplished,  as  in  the  engineering  standardization 
area  where  sets  of  manuals  are  being  developed, 
special  overhead  accounts  are  established  to  plan 
and  control  the  manpower  support  provided  by  the 
operating  Divisions . (As  a matter  of  interest,  we 
are  budgeting  more  than  $560,000  from  overhead 
this  year  to  support  our  engineering  standardization 
effort) . 

Overall  Company  coordination  in  such  areas  as 
the  Inter  service  Data  Exchange  Program  and  the 
Battelle  Electronic  Component  Reliability  Center  is 
accomplished  by  the  office  of  the  Director  of  Relia- 
bility. In  the  IDEP  area,  not  only  is  the  company's 
overall  effort  monitored  but  monthly  status  reports 
are  handled  on  punched  cards,  tabed  out  and  supplied 
to  all  of  the  operating  Divisions  to  provide  a month  - 
to -month  cumulative  summary  of  parts  tests  planned, 


parts  tests  completed  in  each  Division,  and  IDEP 
reports  submitted.  This  provides  both  management 
and  the  IDEP  Division  Data  Coordinators  with  full  and 
complete  information  on  a monthly  basis  to  forestall 
duplication  and  to  encourage  interchange  and  com- 
bination of  test  plans  between  operating  Divisions . 

Cost  Elements 

It  is  implicit  in  specifying  reliability  that  the 
customer  also  support  the  effort  financially . This 
applies  not  only  to  analytical  areas  but  also  to  ade  - 
quate  test  facilities  for  product  development  and 
proofing  and  in  the  general  support  areas  that  re  - 
quire  continued  expansion  and  detailed  coordination 
and  development  to  provide  a base  for  reliability- 
progress.  We  no  longer  question  whether  a customer 
is  really  serious  when  he  includes  a reliability  re- 
quirement in  a request  to  bid;  we  know  he  is. 
Especially  on  the  larger  programs,  manpower 
support  for  reliability  effort  is  no  longer  the  pro- 
blem that  it  used  to  be,  and  percentages  are  ranging 
quite  high  for  reliability  work  relative  to  overall 
engineering  effort  on  a typical  program  today. 

Such  items  as  the  standards  effort  mentioned 
above  contribute  greatly  to  reliability.  Unfortunately, 
because  of  the  wide-spread  application  to  many  pro- 
grams, it  is  virtually  impossible  to  direct -charge 
this  type  of  effort  to  projects  with  any  degree  of 
integrity.  Some  means  of  handling  this  needs  to  be 
found. 

Historically,  in  many  elements  of  the  industry, 
computer  machine  centers  are  part  of  overhead. 

Now  they  must  be  expanded  to  provide  complete  data 
center  controls  for  reliability  purposes,  for  handling 
PERT  and  its  variations,  for  handling  CHAMPION, 
and  other  similar  programs  that  are  relatively  new. 
We  understand  that  some  contractors  have  a serious 
problem  in  the  area  of  computer  funding  in  support 
of  such  things  as  PERT;  this  apparent  inequity 
warrants  investigation.  The  situation  is  created  by 
having  some  contracts  "in  the  house”  that  do  not  allow 
this  effort,  and  normal  accounting  systems  cannot 
resolve  the  problem  if  these  costs  are  carried  in 
overhead. 

The  total  reliability  process  must  be  understood 
by  all  the  people  that  are  concerned  with  it.  Speci- 
fications establish  boundary  conditions  but  they  do  not 
create  reliability  of  and  by  themselves,  nor  do  nu- 
merical analyses . Reliability  must  be  engineered 
into  a product,  then  kept  in  it  through  intensive  work 
in  the  manufacturing  and  use  areas,  and  proofed  so 
that  non -technical  people  can  believe  it  ---  note 
''believe”;  this  is  an  all-important  factor  too  often 
shrugged-off  by  the  technical  sophisticate. 


29 


Cone  lus  ions 


There  is  a need  for  continuing  joint  effort  be- 
tween tiie  Services,  the  Department  of  Defense, 
die  National  Aeronautics  and  Space  Administration, 
and  Industry  to  reduce  the  number  of  reliability 
documents  extant.  There  is  a strong  trend  in  the 
direction  of  systems  effectiveness  requirements 
rather  than  reliability  per  se  which  will  increase 
the  bulk  of  documents  in  this  area*  There  is  need 
for  more  work  on  effectiveness  measurement  of 
reiiabiLity  programs  as  such;  things  in  this  area 
are  still  far  too  subjective. 

Incentive  contracting  inevitably  gets  down  to  the 
basic  measurements  of  cost,  schedules,  and  per- 
formance (which  includes  reliability) * It  requires 
attention  to  detail  planning  and  a careful  look  at  the 
proportion  of  total  program  effort  devoted  to  relia  - 
bility.  There  is  an  obvious  necessity  for  increased 
business  maturity  in  contractor  reliability  organi- 
zations . Many  reliability  groups  have  difficulty 
operating  "in-house"  with  a full  awareness  of  their 
inter-relationships  with  oilier  departmental  functions 
and  fail  to  appreciate  the  effects  of  unilateral  action 
on  other  elements  of  their  organization* 

Engineers  operating  in  inter  -disciplinary  areas 
such  as  reliability  and  maintainability  are  growing 
closer  to  contract  administration  and  contract 
structure  due  to  the  application  of  specifications  with 
"teeth  in  them",  and  the  current  complexion  of  con- 
tracts* This  requires  cross -education  beyond  tra- 
ditional disciplines,  and  if  possible,  the  reduction 
of  some  of  the  extreme  specialization  that  exists  in 
reliability  organizations  today* 

Methods  of  funding  must  be  reviewed  and  revamped 
in  those  areas  that  create  "blanket"  reliability 
improvement,  such  as  engineering  standards,  test 
facilities,  and  data  centers* 

Finally,  while  reliability  analytical  techniques 
have  been  developed  to  a high  state  of  maturity, 
methods  for  measuring  the  efficiency  of  reliability 
organizations  have  not*  The  time  is  ripe  to  launch 
a concerted  effort  to  develop  acceptable  methods 
for  evaluating  organizational  performance  in  the 
reliability  field  without  the  necessity  of  waiting  for 
final  hardware  deliveries. 

References 

1,  H*  L,  Wuerffel,  "Military  Specifications  Affecting 

Reliability,"  Proc,  7th  National  Symposium  on 

Reliability  and  Quality  Control,  pp  56 -S3, 

Philadelphia,  Pa*;  Jan*  1961, 


2*  C*  M*  Ryerson,  "The  Reliability  and  Quality 
Control  Field  from  Its  Inception  to  die  Present, " 
Proc*  IRE,  vol,  50,  pp  1321*1338;  May,  1962* 


30 


GOVERNMENT  DOCUMENTS  ESTABLISHING  AND  SUPPORTING  RELIABILITY  REQUIREMENTS 


31 


RELIABILITY  ANALYSIS  AND  PREDICTION 


G.  Ronald  Herd 

Booz,  Allen  Applied  Research,  Inc. 
Bethesda,  Maryland 


Every  space  program  today  is  confronted 
with  the  dismaying  problem  of  equipment  failure. 
Despite  all  the  effort  and  money  devoted  to  these 
programs,  our  results  consistently  show  inade- 
quate reliability.  Management  has  not  been 
sufficiently  alert  to  make  use  of  all  the  available 
means  for  combating  these  problems. 

The  emphasis  on  controlling  schedules, 
while  entirely  proper  in  itself,  creates  pressure 
throughout  the  program.  Care  must  be  taken  to 
control  the  response  to  these  pressures- -to 
assure  that  performance  is  not  always  sacrificed 
to  promptness.  One  means  of  doing  this  is  by 
actually  integrating  reliability  analysis  and  pre- 
diction techniques  into  our  programs. 

During  the  past  15  years,  the  emphasis  on 
reliability  for  missile  and  space  applications  has 
resulted  in  the  formation  of  reliability  engineer- 
ing groups  in  all  organizations.  During  this 
period,  numerous  techniques  have  been  developed 
and  used  by  reliability  specialists.  The  primary 
aim  in  developing  these  techniques  has  been  to 
answer  the  question,  nWhat  is  the  reliability  of  a 
given  system ?,!.  Only  recently  have  these  tech- 
niques been  forwarded  as  tools  for  designers  and 
management.  Some  design  engineers  have 
learned  to  use  these  analytical  techniques,  but 
there  has  been  universal  failure  to  recognize  the 
value  of  these  same  tools  to  management.  The 
designer  uses  reliability  analysis  techniques  to 
evaluate  alternate  concepts  or  designs.  Manage- 
ment should  use  these  same  techniques  to  evaluate 
the  trustworthiness  of  the  design  concept  and  the 
resultant  design  and  to  aid  in  the  allocation  of 
cost,  engineering  effort,  and  time. 

At  present,  management  is  so  engrossed 
in  the  application  of  PERT  in  controlling  time 
schedules  that  performance  is  being  permitted 
to  disappear  into  a chaotic  chasm  of  inadequacy. 
Meeting  schedules  has  become  so  important  and 
understanding  of  possible  time -cost-performance 
trade-offs  is  so  limited  that  we  will  soon  be 
meeting  launch  schedules  but  putting  only  useless 
piles  of  junk  in  orbit  overhead. 


Aspects  of  Reliability 

There  are  three  important  aspects  of  relia- 
bility: achievement,  assessment,  and  maintenance. 

Achievement  of  high  reliability  depends 
upon  the  ability  of  the  technical  man  to  determine 
the  relations  among  basic  physical  parameters 
and  the  environments,  to  understand  these  rela- 
tions and  know  how  to  apply  them,  and  to  evaluate 
the  degree  of  application. 

Assessing  the  degree  of  achievement  of 
reliability  is  a measurement  problem  and  can  be 
accomplished  in  a variety  of  stages  in  the  de- 
velopment cycle  of  a system.  It  is  obvious  to  all 
of  us  that  during  the  key  development  period  of  a 
system,  classical  measurement  techniques  are 
not  applicable.  It  is  only  during  the  latter  stages, 
when  hardware  is  available  for  testing  that  class- 
ical measurements  can  be  used.  In  the  critical 
early  period  of  development,  however,  relia- 
bility analysis  and  prediction  can  furnish  us  with 
a priori  measurements  which  are  extremely 
valuable  when  and  if  we  know  how  to  interpret 
them. 

Maintenance  of  reliability  is  another  type 
of  control  problem- -one  with  which  we  are  all 
familiar.  The  requirement  here  is  that  we 
eliminate  or  reduce  to  a minimum  the  human 
errors  involved  in  assembly,  diagnosis,  and 
utilization  of  the  system. 

Reliability  analysis,  then,  can  be  described 
as  na  way  of  assessing  the  achievement  of  relia- 
bility before  testing  and  use  experience  are 
available.  n Management  can  use  this  type  of 
analysis  to  introduce  the  performance  dimension 
into  the  Program  Evaluation  and  Review  Tech- 
niques (PERT)  programs  currently  in  use. 

Reliability  Analysis 

Reliability  analysis  is  the  missing  link  in 
the  control  of  system  reliability.  It  furnishes  a 
formalized  method  of  evaluating  the  design 


33 


during  the  research  and  development  phase- 
Currently  it  is  the  only  control  technique  that  is 
sensitive  to  changes  in  reliability.  It  measures 
one  of  the  performance  characteristics--relia- 
bility- -which  is  assumed  to  be  integrated  into 
PERT  programs  but  actually  is  ignored  rather 
than  integrated  under  the  pressures  of  PERT* 

How  do  we  now  make  up  the  slack  in  our 
time  schedules?  Do  we  do  it  by  speeding  up  our 
development  ? —No.1  We  do  it  by  lowering  our 
performance  requirements  or  by  eliminating 
critical  testing  and  evaluation  phases  which 
assure  the  performance — reliability- -require- 
ments. Management  is  not  evaluating  trade- 
offs--merely  trading  away  performance  in  favor 
of  time  and  cost. 

All  systems  are  made  up  from  basic  com- 
ponents or  elements.  The  procedure  of  computing 
loads  or  stresses  and  evaluating  the  effect  of 
these  stresses  furnishes  the  framework  for  an 
analyst  to  determine  the  hazard  associated  with 
each  element  in  its  expected  operating  environ- 
ment. It  is  the  designer's  task  to  insure  that  the 
total  hazard  obtained  in  assembly  of  a system  be 
at  a minimum.  Hazard  here  is  used  in  the  sense 
of  risk  and  is  usually  measured  by  the  failure 
rate.  The  assignment  of  quantitative  values  for 
failure  rates  to  elements  of  the  system  is  an  im- 
portant aspect  of  design  analysis  and  is  essential 
for  reliability  analysis. 

An  early  step  in  the  reliability  analysis  is 
the  development  of  an  abstract  pattern  of  analysis 
or  model  which  is  representative  of  the  physical 
system  under  consideration*  The  models  are 
usually  mathematical  in  nature  and  are  used  to 
evaluate  the  relative  worth  of  alternative  designs 
and  to  predict  the  effects  of  questionable  designs. 
The  parameters  for  the  models  are  determined 
from  past  experimental  evidence  in  laboratory 
testing  programs  and  in  field  and  test  experience 
on  previous  systems.  The  basic  reason  for 
bringing  the  mathematician  into  the  picture  at  all 
is  that  the  engineers  face  unknowns  at  many 
points*  Only  through  probabilistic  treatment  can 
these  unknowns  be  quantitatively  considered. 

A mathematical  model  furnishes  a consis- 
tent set  of  ground  rules  and  provides  a numerical, 
rather  than  an  intuitive,  basis  for  evaluation  and 
selection  of  designs  for  components,  assemblies, 
and  systems*  Manipulation  of  such  models  in- 
volves the  mathematical  techniques  of  probability 
theory. 


Assignment  of  quantitative  values  for  the 
parameters  of  our  reliability  model  is  an  im- 
portant  aspect  of  design  analysis  and  is  essential 
to  reliability  evaluation.  The  parameters  are 
usually  failure  rates,  and  the  values  are  functions 
of  the  design  (strength)  of  the  elements,  their 
interconnections,  and  the  environmental  condi- 
tions. The  basic  information  applicable  to  many 
systems  is  the  part  failure  rate.  We  must  de- 
termine the  failure  rate  and  the  conditions  for 
which  the  rate  is  applicable;  make  the  translation 
to  the  set  of  conditions  existing  in  the  new  system; 
and  take  into  consideration  the  interface  problems 
among  parts  and  among  circuits  iti  the  same 
power  or  functional  line,  realizing  that  this 
interface  is  affected  by  the  failure  modes,  en- 
vironment and  past  operating  history. 

We  have  found  from  bitter  experience  that 
every  individual  must  have  objectives  and  mile- 
stones to  enable  him  and  his  superiors  to  eval- 
uate his  progress.  It  is  only  through  demonstra- 
tion that  he  is  meeting  these  milestones  that  an 
individual  will  continue  to  make  effective  prog- 
ress. The  design  of  a system  for  high  relia- 
bility is  an  area  where  we  need  to  set  up  objec- 
tives and  milestones  for  ourselves*  We  must  be 
able  to  evaluate  our  achievement  of  these  without 
submitting  to  the  5-  to  10 -years'  delay  required 
for  operation  of  the  current,  lengthy  feedback 
loop.  So  this  is  one  area  where  we  have  failed 
to  utilize  the  tools  that  we  have  available. 

If  we  review  the  industrial  growth  of  our 
economy  with  its  emphasis  on  mechanization  and 
automation,  the  evolution  of  reliability  control 
programs  is  readily  traceable.  As  a result  of 
reliability  problems,  customer  service  functions 
were  initiated.  Then  inspection  procedures  were 
introduced  into  manufacturing  processes*  Later, 
quality  control  became  an  integral  part  of  the 
manufacturing  process.  Today,  scientific  con- 
trol in  the  form  of  reliability  analysis  is 
necessary  in  the  design  of  our  complex  systems. 

A reliability  program  is  a method  of  establishing 
effective  management  control  over  the  design  of 
complex  systems. 

Weak  Areas  of  the  Analysis  Techniques 

Where  are  the  areas  of  weakness  in  these 
analytical  techniques?  There  are  two  areas  of 
major  importance*  These  are  in  establishing  the 
basic  failure  rates  from  which  to  build  the  analy- 
sis and  in  considering  the  interactions  within  a 
functional  series  of  elements. 


34 


What  is  the  failure  “rate  problem?  It  has 
its  origin  in  our  definition  of  failure,  in  stress - 
exposure  variations,  in  the  variation  in  observa- 
tion periods,  reporting  efficiency,  and  reporting 
accuracy* 

1*  Definition  of  Failure --In  an  operational 
system,  each  item  is  subject  to  a 
different  definition  of  failure*  For 
example,  electronic  parts  employed  In 
circuits  with  different  tolerances  re- 
quire different  definitions  of  failure* 

2,  Exposure  of  the  item  to  stresses-- 
Each  item  employed  in  a circuit  or 
group  of  circuits  is  subjected  to 
different  levels  of  stress,  due  to  its 
particular  position  in  the  circuit  and 
the  position  of  the  circuit  in  the  system 
and  black  box* 

3.  The  time  of  observation--All  observa- 
tions on  the  system  are  controlled  by 
decisions  which  are  usually  independent 
of  the  systems  under  observation.  At 
times  we  start  observing  the  system 
after  it  has  been  in  operation  for  some 
time  and  know  nothing  about  its  pre- 
vious history.  On  other  occasions  we 
are  able  to  observe  a system  for  a 
fixed  period  of  time  during  its  original 
employment.  In  both  situations,  the 
only  information  available  is  the  infor- 
mation that  was  obtained  during  our 

period  of  observation. 

4.  The  efficiency  of  reporting- -All 
failures  are  not  reported*  This  may  be 
due  to  the  pressures  imposed  upon  the 
staff,  or  it  may  be  due  to  the  differences 
in  interpretation  of  the  concepts  of 
failure* 

5,  Missing  data- -Not  all  pertinent  infor- 
mation is  available  to  the  individual 
completing  the  malfunction  reports  at 
the  time  of  the  malfunction*  For  this 
reason,  and  due  to  human  error,  some 
information  will  not  be  recorded* 

How  do  we  resolve  these  apparent  major 
obstacles  in  establishing  basic  failure  rates  ? 

We  do  this  by  using  as  our  basic  inputs,  experi- 
ence on  parts  or  components  obtained  in  tests  so 
designed  that  the  above  problems  do  not  materi- 
ally affect  the  results*  We  must  know  the  condi- 
tions under  which  the  failure  rates  are  deter- 
mined; then,  using  trade-off  relations  that  are 


almost  universally  accepted  throughout  industry, 
we  can  translate  the  basic  failure  rates  to  the 
rates  applicable  to  the  particular  system  under 
consideration* 

The  second  major  problem  is  the  inter- 
action among  elements  of  the  system.  This 
interaction  problem  is  not  as  obvious  as  the 
failure  rate  problem.  Drift  of  electrical  charac- 
teristics, noise  in  a servoloop,  tolerance  changes 
due  to  wear,  etc*  , are  examples  of  this  problem 
We  know,  as  we  build  a complex  circuit,  that  the 
larger  the  number  of  circuit  elements,  the  more 
difficult  it  is  to  understand  all  of  the  character- 
istic variations  within  the  circuit.  If  we  under- 
stood all  the  cross  currents,  transient  effects, 
etc*  , and  knew  how  to  isolate  channels,  ele- 
ments, and  functions,  then  it  would  be  almost  as 
simple  to  design  a 200-element  circuit  as  a 2- 
element  circuit*  At  present,  we  do  not  have  this 
complete  knowledge,  and  our  inadequacies  are 
inevitably  reflected  in  the  reliability* 

Now  turning  to  your  own  experience,  think 
of  any  number  of  problems  you  have  experienced-* 
intermittent  malfunctions,  the  noise  In  servo- 
loops  which  has  caused  wandering,  and  the  errors 
in  digital  computer  operations*  Many  of  these 
troubles  canrt  be  assigned  to  any  particular 
part;  however,  the  circuit  or  system  failed. 

Our  experience  has  been  that  about  one  time  in 
three  it  is  impossible  to  substantiate  the  ex- 
istence of  a failure  in  a rejected  system;  and 
that  nine  out  of  ten  part  replacements  are  due 
to  a change  in  part  characteristic  rather  than  to 
an  abrupt  catastrophic -type  failure. 

How  do  we  consider  the  effect  of  element 
interaction  or  lack  of  Independence  in  a relia- 
bility analysis  ? There  are  no  well  established 
and  rigorous  techniques*  This  part  of  the  analy- 
sis is  more  of  an  art  than  any  of  the  other  phases* 
To  date  we  have  established,  on  the  basis  of 
empirical  evidence,  that  the  average  failure  rate 
per  part  Increases  with  the  length  of  the 
functional  string*  This  same  empirical  evidence 
has  indicated  that  digital  circuits  and  analog 
circuits  have  different  amounts  of  interactions* 
This  experience  is  compatible  with  our  intuitive 
expectations  and  our  general  knowledge  of  cir- 
cuits. Therefore,  the  technique  that  Is  current- 
ly being  used  is  to  determine  those  elements 
within  a functional  string  which  will  Interact  with 
each  other  and  use  this  as  the  basic  interaction 
building  block  In  the  reliability  analysis.  Within  the 
interaction  building  block,  the  estimate  of  the 
effect  of  Interaction  is  based  upon  the  '’active  ele- 
ment group,ras  first  proposed  by  Task  Group  I in 


35 


the  AGREE  report.  Deciding  how  large  the  in- 
teraction building  block  should  be  is  in  the  realm 
of  art  at  present.  However,  this  technique  has 
been  repeatedly  put  to  test,  and  to  date  I know  of 
no  better  way  of  assessing  the  effects  of  depen- 
dence among  electronic  circuit  parts  or  among 
moving  mechanical  parts. 

I recognize  that,  for  accurate  reliability 
measurement  and  precise  definition  of  reliability 
problems  there  is  no  real  substitute  for  opera- 
tional time  on  a given  system.  However,  the 
reliability  analysis  permits  some  degree  of 
measurement  and  problem  definition  in  the  design 
phase,  before  testing  can  be  accomplished.  In- 
formation derived  from  the  analysis  compensates 
for  its  lack  of  precision  by  its  timeliness  and 
the  resultant  savings  obtained  by  eliminating 
problems  before  they  are  built  into  the  hardware. 
Our  experience  has  been  that  problems  can  be 
identified  and  the  relative  magnitude  of  the 
problems  can  be  assessed  quite  accurately.  We 
have  not  been  equally  successful  in  establishing 
the  accuracy  of  our  time  scale.  The  accuracy 
of  the  time  scale  will  vary  from  system  to 
system;  but  for  large  complex  systems,  the 
scaling  on  the  time  axis  should  not  be  in  error 
by  more  than  a factor  of  two. 

Industry  and  Management  Employment 

Industry  and  management  have  a number  of 
problems  in  the  utilization  of  reliability  analy- 
sis. From  our  experience,  I would  conclude 
that  the  key  problems  are  the  following: 

1.  Failure  rates  are  not  realistic. 

2.  Derating  is  not  accurate,  particularly 
in  load-sharing  redundant  applications. 

3.  Interactions  are  not  considered. 

4.  The  reliability  of  sensing  and  switch- 
ing devices  in  stand-by  redundant 
applications  is  ignored. 

5.  The  effects  of  transients  are  ignored. 

In  one  case  at  least,  a failure  pattern 
reflected  the  dampening  effect  of 
transients  through  the  circuits. 

One  other  major  problem  is  the  tendency 
of  people  associated  with  a program  to  ration- 
alize rather  than  face  up  to  unfavorable  results 
obtained  from  an  analysis  or  testing  program. 
Such  unwillingness  to  acknowledge  unpleasant 
facts  has  disastrous  effects  on  reliability, 
schedules,  and  costs. 


We  have  the  analytic  tools  to  analyze  the 
reliability  of  a design;  we  have  demonstrated 
their  application;  we  know  their  weaknesses- - 
now  it  is  time  for  all  levels  of  management  to 
apply  reliability  analysis  and  prediction  to  the 
difficult  job  confronting  them --controlling  the 
design  of  a complex  system.  My  plea  is  that 
we  incorporate  system  reliability  analysis  into 
our  PERT  programs  and  begin  to  control  per- 
formance rather  than  allow  the  deterioration  of 
performance  to  resolve  all  of  the  scheduling 
obstacles  identified  by  PERT. 


36 


DESIGN  RELIABILITY  MEASUREMENT  AND  EVALUATION 


W.  T,  Sumerlin 

McDonnel  1 AI  r c r af  t C o r p or  at  I on  3 £€>S  ^-J 

St*  Louis,  Missouri 


n 


Summary 


Reliability  measurement  by  data  collection 
and  evaluation  is  considered.  Parameters  are 
defined  and  restrictions  established.  Relia- 
bility estimation  of  sub -systems  and  parts  as 
a preliminary  to  system  estimation  is  reviewed, 
and  rules  are  established.  Confidence  levels 
of  sub-systems  and  parts  versus  combined  system 
are  analyzed.  Estimation  planning  is  discussed* 
Tests  planned  for  accept -reject  reliability 
decision  are  very  briefly  considered* 


Introduction 

Measurement  of  the  reliability  of  a favored 
product  about  to  be  released,  or  the  confirmation 
of  low  reliability  In  a suspect  new  model  has 
seemed  to  many  of  us  for  a long  time  to  be  an 
elusive  technique.  Not  so  for  the  item  of  long 
acclaim  or  for  the  item  regularly  requiring 
chronic  maintenance.  In  the  latter  case,  records 
provide  inescapable  or  irrefutable  data  from 
which  we  all  can  make  calculations  that  few  will 
question.  In  the  former  case,  we  must  create  data 
not  already  available,  run  tests,  experiments 
that  perhaps  are  costly  of  time  and  money,  and 
then  we  must  be  prepared  to  stand  accused  of 
designing  the  test  or  experiment  to  insure  the 
kind  of  data  that  gives  the  desired  result.  In 
looking  back  to  the  fall  of  1955  and  the  handful 
of  men  who  gathered  with  the  author  to  "develop.* 
tests -.which  will  prove  conclusively  that  the 
equipment  will  meet  the  minimum, .reliability  estab- 
lished", and  were  identified  as  AGREE  Task  Group 
3,  it  would  seem  that  guidance  was  provided  by 
Providence.  For  not  until  January  of  1962,  was 
proof  established2  that  certain  statistical 
liberties,  taken  by  Task  Group  3 in  ignorance,  or 
rather  perhaps  because  of  engineering  intuition, 
were  more  than  justified  in  the  Interest  of  test- 
ing economy*  In  spite  of  this  staunch  1957 
AGREE  milestone  for  quantitative  reliability 
acceptance  decisions,  we  still  need  to  clear  away 
the  haze  that  surrounds  a suitable  technique  for 
estimating  or  measuring  the  quantitative  relia- 
bility that  is  inherently  contained  in  a product 
not  yet  mature  enough  to  have  acquired  a per- 
formance reputation.  It  is  the  intention  of  this 
paper  to  apply  an  engineer’s  consideration  to 
this  clarification  and  to  expose  the  statistical 
quirks  to  the  light  of  day  in  such  a way  that  no 
one  needs  suggest  that  "the  numbers  game"  can 
prove  anything. 


Reliability  measurement  occupies  special 
attention  in  the  engineering  profession  because 
it  outwardly  requires  probability  theory  to 
estimate  the  frequency  of  performance  failures 
that  haven't  taken  place  yet.  Further,  because 
we  don't  always  determine  the  cause  of  all  past 
or  future  failures,  we  need  statistics  to  sub- 
stitute for  the  pertinent  laws  of  physics  which 
we  haven't  yet  assigned-  The  first  part  of  this 
paper  will  be  confined  to  means  for  estimating 
the  best  quantitative  figure  for  reliability 
from  data  obtained  by  tests  of  a sample. 

Sampling  is  required  in  the  time  domain  where  we 
examine  behavior  or  performance  for  a restricted 
period  of  time  or  number  of  cycles  and  from  this 
attempt  to  describe  behavior  or  performance  for 
the  extended  future.  Sampling  may  also  be 
required  in  the  population  domain,  where  we 
observe  some  but  not  all  the  items  which  are  of 
interest  to  us,  and  from  such  observations,  we 
make  statements  about  other  similar  items  which 
we  did  not  observe.  Not  infrequently,  we  will 
be  working  with  both  kinds  of  sampling  simul- 
taneously* 


Reliability  Assessment 


If  by  the  term  reliability  assessment  we 
mean  the  assignment  of  quantitative  reliability 
numbers  to  an  item  or  product  of  interest,  then 
it  must  be  noted  that  reliability  prediction  is 
concerned  with  the  reliability  assessment  of  a 
design  without  the  benefit  of  hardware  observa- 
tion* Reliability  measurement,  on  the  other  hand, 
is  concerned  with  the  assignment  of  quantitative 
reliability  numbers  by  virtue  of  Insight  from 
observation  data  acquired  from  representative 
hardware  under  representative  conditions.  In 
actual  practice,  there  will  be  many  occasions 
where  it  is  expedient  to  develop  quantitative 
assessment  numbers  for  a complex  system  by  a com- 
bination of  both  techniques - 

Measurement  Parameters 


It  is  regularly  found  that  inconsistency  in 
applying  certain  restrictions  to  the  important 
reliability  measurement  parameters  results  in 
significant  descrepancies  in  the  results  obtained. 
Accordingly,  the  important  parameters  must  be 
identified,  and  then  these  restrictions  discussed. 


37 


Time  , Domain  Parameters*  Number  of  failures 
(f)  and  '^plleable  time  interval  (t)  permit 
calculation  of  mean  time  between  failures  (MTEF), 
or  its  reciprocal,  failure  rate  (X).  Either, 
when  inserted  In  an  appropriate  distribution 
function,  permits  calculation  of  the  probability 
of  occurrence  (p)  of  any  specified  number  of 
failures,  as  wall  as  the  confidence  (c)  with 
which  certain  statements  can  be  made  concerning 
the  measured  item  or  its  counterparts. 

Population  or  Cyclic  Domain  Parameters.  For 
the  assessment  of  the  reliability  of  certain 
kinds  of  items  where  time  duration  of  operation 
is  not  significant  compared  to  the  cycles  of 
operation,  such  as  in  actuators,  switches,  fuses, 
and  one  shot  devices,  we  need  failures  (f),  and 
cycles,  and  units (n)  from  which  to  calculate 
unit  reliability  (r).  The  latter,  when  inserted 
in  an  appropriate  distribution  function,  permits 
calculation  of  the  probability  of  occurrence  (P) 
of  any  specified  number  of  failures  in  a given 
population,  as  well  as  the  confidence  (c)  with 
which  certain  statements  can  be  made  concerning 
the  measured  items  or  their  counterparts. 

Failures.  In  basic  reliability  theory,  this 
author  always  identifies  three  kinds  of  failures, 
namely,  initial,  wearout,  and  random.  Initial 
failures  are  those  which  result  when  an  item  is 
not  right  to  begin  with,  regardless  of  whether 
the  failure  to  perform  was  present  from  the 
start  or  appeared  during  the  early  failure  period. 
Wearout  failures  are  those  whose  time  of  occur- 
rence can  be  successfully  predicted  because  of  a 
constant  mean  time  of  occurrence  and  a small 
variance  about  this  mean.  Thus,  wearout  failures 
can  be  prevented  by  preventive  maintenance  which 
replaces  a failing  item  economically  just  before 
failure  takes  place.  Random  failures  are  the 
failures  that  support  most  or  all  of  our  relia- 
bility activity,  and  need  be  defined  simply  as 
failures  whose  time  of  occurrence  is  random  to 
the  extent  that  it  cannot  be  predicted  sufficient- 
ly to  permit  elimination  by  preventive  mainten- 
ance techniques.  Thus,  random  failures  include 
those  wearout  failures  which  occur  so  infre- 
quently as  to  prevent  recognition,  and  they 
include  those  initial  failures  which  cannot  con- 
veniently be  screened  out  by  an  economical  burn- 
in  or  check-out  period.  In  general,  if  the 
failures  in  the  random  category  make  up  a suffi- 
ciently heterogeneous  collection,  randomness  is 
guaranteed,  and  this  is  most  always  the  case. 

In  collecting  failures  by  test  from  which 
to  make  measurement  calculations,  there  are  many 
temptations  to  omit  certain  failures  from  the 
count.  No  performance  failures  of  the  item  in 
test  occasioned  by  a fault  within  the  tested  item 
(and  this  must  be  presumed  unless  an  external 
fault  is  actually  found)  can  be  neglected  unless 
it  can  be  shown  beyond  question  to  be  an  initial 
failure  or  a wearout  failure.  If  an  initial 
failure,  all  test  time  acquired  up  to  the  moment 
of  such  failure  must  be  neglected  if  the  failure 
is  ignored.  If  a wearout  failure,  an  acceptable 
preventive  maintenance  procedure  must  be  applied, 
and  then  the  failure  may  be  ignored  only  if  all 


subsequent  similar  failures  are,  in  fact,  pre- 
vented by  virtue  of  the  preventive  maintenance 
routine.  The  fact  that  a design  change  Is  made 
immediately  following  a failure  which  will 
successfully  prevent  any  recurrence  of  similar 
failures  is  not  sufficient  reason  to  discount  the 
failure  while  counting  the  accumulated  time. 

The  tested  item  may  have  thousands  of  different 
design  shortcomings  each  of  which  will  produce 
a future  failure.  Thus  the  reduction  by  one  of 
the  different  ways  a failure  may  take  place  gives 
no  license  to  suggest  the  future  failure  fre- 
quency will  be  measurably  decreased.  Also,  since 
repetition  of  a sampling  test  on  the  same  kind 
of  Item  violates  a basic  law  of  statistics 
(which  says  that  any  desired  outcome  may  be 
observed  If  sufficient  repetitions  of  the  test 
are  made),  test  time  and  related  failures  cannot 
both  be  ignored  with  immunity  for  any  reason 
save  a proven  initial  failure.  A new  test  or  re- 
test must  be  preceded  by  significant  design 
change  or  Improvement. 

While  a single  failure  may  result  in  Immedi- 
ate damage  to  several  related  parts  of  the  tested 
unit,  and  the  replacement  of  these  several  parts 
need  be  counted  only  as  a single  failure,  there 
will  be  other  cases  where  more  than  one  part  will 
appear  to  have  failed  simultaneously  with  no 
reasonable  explanation  as  to  a relationship 
between  or  among  the  failed  parts.  If  tested 
unit  performance  is  prevented  by  several  unrelat- 
ed parts  failures  all  of  which  seemed  to  occur 
simultaneously,  each  unrelated  part  must  be 
counted  as  a separate  failure  and  the  simultane- 
ous time  of  occurrence  classified  as  coincident. 
Conversely,  there  need  be  no  limit  to  the 
analytical  effort  applied  to  prove  relationship 
between  several  simultaneous  parts  failures. 

Applicable  Time.  Hardware  has  frequently 
been  shown  to  simultaneously  possess  more  than 
a single  characteristic  mean  time  between  failures 
(MTBF ) . For  instance,  many  equipments  do  not 
have  infinite  storage  or  shelf  life,  and  thus 
have  a significant  though  high  MTBF  applicable  to 
storage  or  shelf  conditions,  and  it  may  well  vary 
with  different  such  conditions.  Observation  of 
hardware  under  such  conditions  to  permit  measure- 
ment of  storage  MTBF  is  often  complicated  because 
we  cannot  establish  failure  (and  thus,  time  of 
failure)  without  putting  the  item  in  operating 
condition,  and  this  change  of  state  for  the  item 
may  well  contaminate  the  observation.  The  point 
to  be  made  is  to  emphasize  an  adequate  descrip- 
tion of  the  conditions  under  which  a measure  of 
the  reliability  is  desired,  and  then  collect 
observation  time  only  for  the  time  of  exposure  to 
the  applicable  conditions.  If  certain  time  inter- 
vals are  to  be  ignored  because  they  are  necessary 
to  establish  proper  initial  operation,  or  for 
other  Justifiable  reasons,  make  sure  they  are 
thoroughly  defined  beforehand,  so  that  no  option 
depending  on  failure  observations  Is  present. 

In  planning  the  duration  of  a proposed  test, 
it  is  well  to  be  prepared  to  continue  the  test 
long  enough  so  that  with  barely  sub -marginal 
reliability  there  will  still  be  enough  failures 


38 


observed  to  provide  a starting  point  for  considers^ 
tion  of  design  improvement.  This  factor  was  the 
basis  for  requiring  observation  for  a minimum  time 
period  computed  as  three  times  the  desired  MTBF 
for  pilot  production  equipment,  AGREE  Task  3, 
and  thus  a minimum  of  12  failures, on  the  average, 
from  which  to  start  design  improvement  on  reject- 
ed equipment. 

Units  and  Cycles.  If  MTBF  is  constant  in  a 
given  situation  thus  establishing  the  appro- 
priateness of  the  Poisson  distribution  for  mea- 
surement calculations,  and  such  assumption  is 
reasonable  in  a majority  of  situation,  (and  cor- 
respondingly all  units  which  are  to  be  observed 
under  test  are  beyond  their  early  failure  period), 
then  it  makes  no  difference  whether  we  accumulate 
unit  hours  of  operating  time  and  related  failures 
from  one  unit  over  a long  period  or  from  many 
units  over  a short  period.  However,  there  is  an 
important  consideration.  If  our  total  future 
concern  is  confined  to  a single  unit  and  that  is 
the  unit  we  will  test,  then  our  probability  con- 
clusions will  involve  sampling  only  in  the  time 
domain,  and  the  confidence  we  acquire  by  test 
duration  need  only  be  sufficient  for  the  period 
of  our  concern  for  future  use  (perhaps  a "mission" 
time).  If  on  the  other  hand,  we  expect  to  draw 
conclusions  from  the  test  of  a few  units  which 
we  will  apply  to  a large  population  of  units, 
then  our  observation  must  be  extended  sufficiently 
to  give  us  desired  confidence  both  as  to  future 
time  period  (mission)  and  as  to  population.  As 
an  example,  suppose  from  test  data  we  conclude  a 
missile  has  a 0*90  reliability  with  0.90  confi- 
dence. We  have  then  stated  that  nine  times  out 
of  ten  the  missile  will  demonstrate  0.90  relia- 
bility. In  launching  a hundred  missiles  as  many 
as  ten  might  be  presumed  to  be  unsuccessful,  and 
this  would  prevail  nine  times  out  of  ten.  Thus 
if  on  nine  of  ten  occasions  to  launch  a hundred 
missiles  there  were  never  more  than  ten  that 
failed,  on  one  of  the  ten  launchings  (of  the  hun- 
dred missile  salvo)  the  reliability  might  be  less. 
From  the  same  test  data  we  could  also  calculate  a 
new  and  lower  value  for  reliability  but  with  a 
higher  (than  0-90)  confidence.  Accordingly,  we 
are  able  to  describe  with  specific  limits  all 
future  trials,  but  we  find  that  our  need  to  spread 
our  expectations  over  many  different  units  in  a 
large  population  encourages  us  to  extend  our  test 
observation  to  yield  higher  confidence.  It  would 
seem  obvious  then  to  attempt  to  increase  the  num- 
ber of  units  in  our  test  sample  rather  than  to 
extend  the  confidence  solely  by  a longer  test, 
for  this  gives  us  protection  against  unit  vari- 
ation. 

There  are  many  cases  where  it  will  be  found 
that  the  literature  urges  that  tests  be  run  on  no 
fewer  than  two  units  for  reliability  measurement. 

If  test  conclusions  are  to  be  applied  to  a large 
population  of  assumed  identical  units,  a test  ob- 
servation of  no  less  than  two  guarantees  that 
test  findings  will  not  be  based  on  a single  unit 
which  is  radically  different  from  the  rest  of  the 
lot. 


Probability  and  Confidence 

Distribution  functions  such  as  the  Poisson 
and  the  binomial  permit  us  to  calculate  the  prob- 
ability of  observing  any  predetermined  number  of 
failures  with  a given  reliability  (MTBF  or  X for 
the  Poisson,  and  number  of  units  in  test  sample 
plus  MTBF  or  X for  binomial).  Thus  we  are  also 
able  to  compute  the  probability  of  observing  more 
failures  than  a given  number,  given  a particular 
reliability.  This  in  effect  says  that  if  the 
reliability,  r,  were  so  bad  that  there  was  P 
probability  of  observing  more  than  f failures, 
then  we  have  P = C confidence  that  the  reliability 
is  at  least  r,  based  on  observing  f failures. 

As  an  example,  suppose  1000  unit -hours  of 
test  produced  but  one  failure,  and  a statement  of 
MTBF  with  confidence  was  desired.  Scrutiny  of 
Molina* 8 Table  11^  shows  that  for  a = 3.9  ( and 

a *»  t / MTBF  where  t is  the  1000  unit-hours  of 
test),  and  c * 2 ( where  c is  interpreted  to  mean 

two  or  more  failures),  then  P = 0.9008.  Hence, 
if  a figure  for  MTBF  is  chosen  such  that  t/MTBF 
equals  3*9  then  there  is  a probability  of  0.9008 
of  observing  more  than  one  failure.  And  thus  for 
an  MTBF  = 1000  / 3*9  = 256  hours,  we  have  a 90% 
confidence. 

As  a second  example,  in  one  hundred  trials  of 
a unit  there  were  ten  failures.  From  the  Cumula- 
tive Binomial  Probability  Distribution*  we  find 
that  if  the  probability  of  failure  for  a single 
unit,  p,  were  as  high  as  0.15  ( a^d  hence  its  re- 
liability equal  to  1 - 0.15  = O.85)  then  with  100 
units  in  the  sample  ( n = 100  ) and  r = 11  (this 
table  uses  r equivalently  to  Molina's  use  of  c, 
in  this  case  meaning  eleven  or  more  failures), 

P = 0.90055.  Hence  if  reliability  were  as  low  as 
O.85  there  would  be  90$  probability  of  more  than 
10  failures  in  100  trials  and  we  have  90$  confi- 
dence that  reliability  is  O.85  or  more  from  ob- 
serving 10  failures  in  100  trials. 

Assessment  of  Systems,  Sub-systems,  and  Parts 

Measuring  the  reliability  of  systems  is  often 
considered  easier  than  measuring  the  reliability 
of  the  sub -systems  or  parts  that  make  it  up,  be- 
cause with  the  entire  system  under  test,  failures 
occur  more  frequently,  and  a shorter  test  builds 
up  a higher  level  of  confidence  in  the  needed  re- 
liability. (Such  system  testing  also  eliminates 
need  for  considering  application  factors  for  piece 
part  test  data. ) For  example,  if  we  remember  that 
a test  which  observes  one  failure  permits  us  to 
have  90$  confidence  that  the  MTBF  is  at  least  l/4 
the  value  obtained  by  dividing  the  unit-hours  of 
test  by  the  one  failure,  then  a 10CX) -unit -hour 
system  test  would  permit  us  to  say  we  had  90$  con- 
fidence that  the  MTBF  were  at  least  250  hours 
(accurately  256  hours,  see  earlier  example).  If 
the  system  were  in  fact  made  up  of  ten  identical 
sub-systems,  we  could  expect  it  to  take  ten  times 
as  long  to  produce  one  failure  on  a sub -system, 
or  10,000  unit -hours  to  run  a test  that  would  give 
us  90$  confidence  that  the  sub-system  MTBF  were 
at  least  2,500  hours.  And,  anomalously,  with  such 


39 


a 90$  confident  conclusion  we  should  have  to  ac- 
knowledge that  on  the  average  one  of  every  ten 
such  sub-systems  might  be  lower  than  2,500  hours 
MTBF,  and  if  this  happened  in  the  group  of  ten 
sub-systems  making  up  the  given  system,  then  the 
latter  could  not  be  expected  to  have  250  hours 
MTBF  or  more.  If  we  had  been  unsure  that  all  ten 
sub-systems  were  identical  and  had  instead  tested 
each  of  the  ten  for  the  1000  hours  which  we  would 
have:  given  the  system  as  a whole,  we  could  then 
claim  10  times  1000  hours  or  10,000  unit-hours  as 
before,  and  the  same  statement  on  confidence  as 
before.  But  now  we  know  that  our  statement  on 
confidence  for  the  whole  system  must  also  apply. 
Because  so  often  we  need  test  results  as  early  as 
possible  to  allow  time  for  design  improvement 
should  the  reliability  be  insufficient,  we  are 
often  forced  to  make  sub -system  tests  long  before 
we  are  able  to  make  system  tests.  To  better  un- 
derstand these  seeming  paradoxes,  let  us  examine 
the  way  in  which  reliability,  MTBF,  X,  and  con- 
fidence combine  in  going  from  the  parts  to  sub- 
system level,  or  from  sub-system  to  system  level. 

Combining  Reliabilities 

While  fundamental  reliability  training  has 
taught  us  that  reliabilities  of  series  elements 
combine  by  product  rule  (and  thus  unreliabilities 
if  very  small  are  approximately  additive),  failure 
rates  under  similar  conditions  are  additive,  and 
MTBF's  must  be  inverted  to  failure  rates  to  be 
combined,  training  often  fails  to  note  that  all 
such  combinations  are  to  be  performed  with  "best 
estimate"  values.  The  statistician  may  mootly 
consider  values  for  zero  bias,  values  of  maximum 
likelihood,  and  values  which  are  equally  likely 
to  be  too  high  as  too  low.  In  any  case,  the 
engineer  should  compute  the  best  estimate  by  di- 
viding the  unit-hours  of  observation  by  the  num- 
ber of  failures  observed  (unless  the  test  was 
concluded  upon  occurrence  of  the  last  failure 
which  then  can  be  ignored)  for  a best  estimate 
of  MTBF.  He  should  divide  the  number  of  succes- 
ses by  the  total  number  of  trials  (successes  plus 
failures)  for  a best  estimate  of  single-shot  or 
cyclic  reliability.  If  he  observes  no  failures 
over  a period  (measured  in  time,  cycles,  or 
trials)  equal  to  or  longer  than  that  period  which 
would  apply  were  the  test  being  applied  to  the 
overall  system,  then  he  should  assign  infinite 
MTBF  or  unity  reliability  to  the  sub-system.  In 
any  case  the  observation  period  should  equal  (or 
exceed)  for  the  sub-system  that  which  would  have 
been  chosen  for  the  complete  system  had  it  been 
possible  to  test  the  complete  system  instead. 

For  example,  if  a system  is  composed  of  a single 
unit  A,  and  three  unit  B's,  and  would  be  tested 
if  available  for  1000  hours  to  develop  adequate 
confidence  in  the  desired  reliability,  then  by 
sub-system  test  a minimum  of  1000  unit -hours 
should  be  observed  on  unit  A and  3000  unit -hours 
on  unit  B.  If  one  failure  were  observed  on  unit 
A during  its  test  period,  and  no  failures  were 
observed  on  unit  B during  its  3000  hours  of  test, 
then  an  MTBF  of  1000  hours  for  unit  A should  be 
employed  in  system  reliability  computation,  and 
an  infinite  MTBF  for  each  of  the  three  unit  B's. 
Thus  the  system  computation  would  yield  a 1000 


hour  MTBF  for  the  complete  system,  as  a best 
system  estimate. 

Combining  Confidences 

Suppose  the  failure  rate  of  a module  con- 
sisting of  two  parts  was  desired.  Part  A was 
known  to  have  a failure  rate  of  0.2 $ per  1000 
hours  with  60$  confidence,  and  part  B was  known 
to  have  a failure  rate  of  0.092$  per  1000  hours 
with  60$  confidence.  Is  it  proper  to  add  the 
failure  rates,  0.2  + 0.092  * 0.292$/l000  hours, 
and  if  so  is  the  confidence  60$  on  the  total  thus 
obtained? 

Actually  none  of  these  failure  rates  is  a 
"best  estimate"  rate,  as  each  is  pessimistic  in 
order  to  permit  added  confidence.  We  do  not  have 
enough  information  in  knowing  only  the  failure 
rate  at  a single  particular  confidence  to  permit 
us  to  determine  best  estimates  nor  to  permit  us 
to  determine  resulting  confidence  in  a summation. 
However,  if  we  can  obtain  further  information, 
all  the  desired  parameters  may  be  calculated. 

We  find  that  the  failure  rates  at  60$  con- 
fidence were  obtained  from  observing  one  failure 
during  test  of  part  A and  zero  failures  during 
test  of  part  B.  Reference  to  Molina’s  Table  IP* 
shows  a probability,  P,  of  observing  two  or  more 
failures  (observing  more  than  one  failure,  which 
is  equal  to  a confidence  of  P for  one  failure) 
of  0.60  if  a = t/MTBF  = t X - 2.0.  For  zero 
failures  we  find  P,  the  probability  of  observing 
one  or-  more  failures  (probability  of  observing 
more  than  zero  failures)  is  0.60  if  a = 0*92. 
Simple  arithmetic  shows  both  parts  were  each 
tested  for  one  million  part -hours.  One  failure 
in  one  million  part -hours  for  part  A gives  a 
best  estimate  of  1.0  x 10~°  or  0.10$/l000  hours. 
Best  estimate  for  part  B for  which  zero  failures 
were  observed  is  zero  failure  rate  provided  no 
more  than  one  million  part -hours  per  end  system 
are  required  per  mission.  If  this  restriction 
is  met,  the  best  failure  rate  estimate  for  the 
module  is  0.10$/l000  hours. 

If  test  of  each  part  for  a million  part -hours 
could  be  considered  essentially  the  same  as  a 
module  test  for  one  million  module -hours,  with  a 
single  failure  resulting  from  this  module  test, 
then  we  already  know  for  P = 0.60  and  one  failure 
that  a « 2.0,  so  we  have  60$  confidence  that  the 
module  failure  rate  is  not  greater  than  0.20$ 
per  1000  hours.  Note  that  this  is  significantly 
less  than  the  sum  of  the  separate  part  failure 
rates  at  60$  confidence  ( 0.20  + 0*092  = 0.292  $ 
per  1000  hours).  Further,  reference  to  Molina's 
Table  11^  for  a=2.9  shows  we  have  79$  confidence 
that  the  module  failure  rate  is  less  than  0*29$ 
per  1000  hours.  These  data  are  tabulated  here- 
with for  comparison: 


xlO^  From 

Test  Fran  Tables 

Best 

c=6c rf,  f 

t a 

Estimate 

Part  A 0.2  1 

10§  2.0 

0.1  xlO-5 

Part  B .092  0 

10  .092 

0 

Total  0.292xl0"5 

0.1  xlO-5 

Confidence 

for  related 

total  79# 

(2636) 

total  for  60#  C 

= 0.20  x 10-5 

A second  example  which  illustrates  confi- 
dence calculations  using  the  Binomial  Tables** 
might  be  the  following.  Two  units  make  a system, 
unit  A and  unit  B.  One  hundred  trials  of  unit  A 
produce  two  failures  for  a best  reliability 
estimate  of  0*98*  while  one  hundred  trials  of 
unit  B produce  ten  failures  for  a best  estimate 
of  0*90.  The  best  reliability  estimate  for  the 
system,  assuming  failures  are  independent  and  all 
twelve  would  have  occurred  in  100  system  trials 
is  0.88  and  this  figure  can  be  obtained  either 
by  computing  system  success  to  trial  ratio, 
(l00-12)/l00  * 0.88,  or  by  multiplying  the  best 
reliability  estimates  of  the  two  units  together, 

O.98  x 0.90  « 0.88.  For  90 # confidence  cal- 
culations, the  binomial  tables1*  are  searched  for 
n « 100,  P = 0.90,  and  r - 3 (more  than  2 failures 
for  unit  A)  to  find  p (which  is  the  probability 
of  failure  of  a single  unit  and  equals  one  minus 
the  single  unit  reliability)  equal  to  0.053 
(and  hence  R = 0.947  for  unit  A).  For  r = 11 
(more  than  10  failures)  p = 0.15  (and  hence 
R = O.85  for  unit  B).  For  n=100,  P=0.90,  and 
r-13  (more  than  12  failures  as  applicable  to  the 
combined  system)  p = 0.17  to  give  a 90 # confidence 
system  reliability  of  O.83.  If  we  combine  the 
90 # confidence  values  for  the  separate  units, 

0.9^7  x O.85  - 0.80,  and  look  up  n=100,  r=13> 
and  p=l -0.80=0. 20,  we  find  P = 0.97  to  give  97# 
confidence  in  the  0.80  figure.  These  data  are 
tabulated  herewith  for  comparisons 


Test 

Trials  Failures 


Rel.  Best 
Estimate 


Reliability 
for  C=9(# 


Unit  A 100  2 

Unit  B 100  10 


O.98  0.91*7 

0.90  O.85O 


System  0.98x0.90 

= 0.88 

Related  Confidence 

For  90#  Confidence,  System  R 


0.947x0.850 
= 0.80 
97# 

= O.83 


A third  example  may  be  useful  in  illustrating 
that  sometimes  there  is  considerable  value  in  low 
confidence  levels.  Suppose  a system  is  composed 
of  ten  different  sub-systems,  each  of  which  co- 
incidentally has  a best  estimate  MTBF  of  1000 
hours  to  give  a system  best  estimate  of  100  hours. 
Now  a system  test  of  1000  hours  duration  yield- 
ing ten  failures  is  a fairly  solid  test  as  estab- 
lished by  90#  confidence  that  the  MTBF  is  at 
least  64.5  hours.  (Molina* s Table  11^,  P=0.90, 


c=ll,  a=15.5,  and  MTBF  = 1000/15.5=64.5  hours.) 
To  make  separate  sub -system  tests,  1000  hours  of 
testing  for  each  would  yifcld  the  same  quantity  of 
total  data,  but  on  the  average  each  sub-system 
would  encounter  but  one  failure.  The  sub-system 
confidence  applicable  to  a 645  hour  lower  limit 
MTBF  based  on  a one -failure  1000  hour  test,  is 
found  to  be  46#  (a=1.55,  c=2,  P=0.46).  Thus  no 
more  than  46#  confidence  on  each  of  ten  sub -sys- 
tems is  sufficient  to  yield  90#  confidence  in  the 
combined  system  in  this  particular  example. 

In  general,  a unit -hour  testing  or  obser- 
vation period  sufficient  to  produce  desired  con- 
fidence in  a system,  is  also  sufficient  to  pro- 
duce adequate  confidence  in  each  sub -system  pro- 
vided all  sub -systems  are  tested  for  this  period. 
Had  the  last  example  been  the  same  system  but 
composed  of  ten  identical  sub-systems,  then  the 
latter* s test  would  have  produced  10  times  1000 
or  10,000  sub-system  unit-hours  and  ten  failures, 
and  would  have  established  90#  confidence  in  645 
hours  MTBF  for  the  sub -system,  and  it  would  not 
be  sufficient  to  test  but  one  sub-system  for  1000 
hours  and  observe  one  failure.  As  many  failures, 
in  general,  must  occur  via  combined  sub-system 
tests  as  would  be  expected  during  a system  test 
in  order  that  the  lower  sub -system  confidence  be 
sufficient  for  a high  system  confidence. 

The  examples  for  confidence  combination  have 
in  each  above  example  prescribed  sub-system  or 
component  test  or  observation  periods  equal  in 
length  to  each  other  and  to  that  for  the  combined 
system.  If  test  data  are  available  for  the  var- 
ious sub -systems  but  have  been  collected  over 
periods  of  varying  length,  then  common  logic  per- 
mits us  to  reduce  by  interpolation  all  data  to 
equivalent  periods  equal  in  length  to  the  short- 
est period  represented.  A somewhat  more  sophis- 
ticated technique  than  described  herein  for 
yielding  a more  optimistic  lower  confidence  limit 
for  system  reliability  from  equal  tests  of  sub- 
systems is  described  in  recent  literature  by 
Garner  and  Vail^.  This  method  is  not  considered 
applicable  in  view  of  the  aforementioned  rule 
to  count  separately  independent  failures  even 
when  occurring  coincidentally.  To  this  writer's 
knowledge,  equivalent  work  using  subsystem  data 
from  tests  of  unequal  duration  has  not  yet  been 
published. 


Planning  Tests  for  Estimation 

In  planning  tests  or  observation  periods 
for  making  reliability  estimates  the  important 
factors  to  consider  are  the  following: 

1.  Duplicate  or  simulate  the  environment 
(mechanical,  electrical,  thermal,  etc.) 
under  which  the  quantitative  .reliability  is 
desired.  The  accuracy  of  simulation  may 
significantly  affect  the  result. 

2.  Duplicate  or  simulate  the  interconnections 
(mechanical,  electrical,  etc.)  between  the 
unit  of  interest  and  associated  items  or 
systems,  power  sources,  etc.  The  proba- 


41 


bility  of  failure  from  outside  cause  may  be 
important  in  the  result, 

3* Duplicate  or  simulate  the  internal  environ- 
ment within  the  unit  to  be  measured  with 
respect  to  level  of  operation  ( or  non- 
ope rati on ),  duty  cycle,  and  operator  ac- 
tivities and  adjustments-  The  effectiveness 
of  this  may  importantly  control  failures 
fro m inside  causes.  Also,  remember  often- 
times a unit  will  have  different  reliabil- 
ities for  different  modes  of  operation. 

4- unless  reliability  interest  is  confined  to 
a specific  hardware  item  and  this  is  the 
item  to  be  tested,  carefully  consider  the 
advisability  of  simultaneously  testing  { or 
observing)  two  or  more  units  so  that  risk 
of  findings  based  on  a non -representative 
unit  is  eliminated*  The  greater  the  number 
of  items  under  observation  the  less  elapsed 
calendar  time  required  for  a given  degree 
of  confidence. 

5 .Plan  the  total  number  of  unit  hours  of  ob- 
servation needed,  based  on  desired  relia- 
bility and  confidence.  See  subheading 
"Probability  and  Confidence",  If  the  results 
are  less  favorable  or  unfavorable  there  will 
be  even  higher  confidence  in  the  unfavorable 
reliability.  If  the  tests  or  observations 
are  to  be  of  all  of  the  separate  pieces 
which  will  go  together  to  make  up  a system, 
there  need  be  no  more  observation  separately 
than  there  would  be  collectively  for  the 
assembled  system,  even  though  increased 
MTBF  requirements  for  the  sub -systems  or 
parts  appear  to  preclude  high  confidence 
with  the  assigned  time  for  observation* 

For  example,  a system  presumed  to  have  1000 
hours  MTBF,  and  with  need  to  establish  500 
hours  MTBF  at  90#  confidence  is  to  he 
tested  at  the  sub-system  level*  First,  the 
number  of  failures  (f)  to  be  observed  to 
yield  a best  estimate  MTBF  (T0)  of  1000 
hours  and  a 90#  confidence  MTBF  (Tqq)  of 
500  hours  needs  determination*  If^ 
t/f=1000  and  t/a-500  where  t is  observation 
unit -hours  and  a is  the  exponent  from 
Molina's  Table  XI^  for  F=0,90  when  c=f4l, 
then  a/f~2  and  we  find  from  the  table: 

a c p page 

2 2 0*593994  3 

4 3 0.761897  5 

6 4 0.840796  6 

8 5 0*900368  9 

10  6 0*932914  11 

12  7 0*954178  14 

From  this  we  see  a 4 -failure  test  (c=5)  is 
sufficient  for  90#  confidence  in  1/2  the 
best  estimate,  and  the  observation  period 
to  be  planned  should  be  of  4000  system  hours. 
If  the  system  is  composed  of  one  of  sub- 
system A (est.  MTBF  12,000  hr*),  four  series 
sub-system  B (est*  MTBF  6000  hr.  each),  and 
one  sub-system  C (est.  MTBF  4000  hr.),  it 


will  be  necessary  to  acquire  only  4000  unit- 
hours  of  observation  of  sub -systems  A and  0 
and  16,000  unit-hours  for  sub-system  B. 

Sub -system  confidence  from  these  observation 
periods,  if  failures  are  on  the  basis  of 
estimated  MTEF's  are: 


Sub-  Time  Failures 

system  u-h  Confidence  in  MTBF 


A 

4000 

0 

48.8* 

6000  hrs 

B 

16,000 

3 

or 

77-9 

3000 

B1 

4000 

1 

39-1 

3000 

B2 

4000 

1 

39-1 

3000 

B3 

4000 

1 

39.1 

3000 

b4 

4ooo 

0 

74.1 

3000 

c 

4000 

1 

59*4 

2000 

4000 

4 

90.0 

500 

Planning  Tests  for  Decision  Making 

The  principal  difference  in  the  testing 
rules  when  testing  for  decision  making  is  that 
in  addition  to  the  aforementioned  concern  about 
test  conditions  with  reference  to  external 
environment,  interconnections,  internal  environ- 
ment, number  of  units,  and  duration,  it  is  neces- 
sary to  establish  the  maximum  number  of  failures 
allowed  for  acceptable  equipment. 

In  the  last  example  of  a system  producing 
4 failures  in  40G0  system  hours  of  test  (or 
observation)  for  a best  estimate  of  1000  hour 
MTBF,  consider  the  system  producer  who  might  be 
told  his  system  would  be  acceptable  only  If  it 
produced  no  more  than  4 failures  in  4 000  hours 
of  test.  Molina^s  Table  II  on  page  5 shows  that 
with  a »4.0  and  c=  5 there  is  0*371163  probability 
of  more  than  four  failures  in  this  test  if  MTBF  = 
1000  brs»,  and  thus  only  1 - -3711 63  = 63#  pro- 
bability of  passing  the  test.  A conscientious 
producer  should  demand  90  - 95#  probability  of 
passing  a test,  so  he  would  note  that  "a11  must 
equal  2.0  for  a 94*7#  probability  of  passing, 
which  means  his  system  should, in  reality,  have 
an  MTBF  of  2000  hours.  The  5*26#  risk  of  still 
not  passing  is  called  the  producer's  risk,  , 
and  it  is  associated  with  2000  hours  MTBF  or  0O, 
The  90#  confidence  point  of  hours  relates  to 
the  10#  user's  risk,  /$  , (of  less  than  500  hours 
MTBF)  and  the  500  hour  MTBF  associated  with 
is  usually  identified  as  Thus,  a 4 failure 

test  is  seen  to  have  a &Q/9±  ratio  of  4 for 
ot  - 5#>  fb  - 10#.  Correspondingly,  other  ratios 
of  0 /Qt  for  numbers  of  failures  and  for 

= 5#,  10#,  * 10#  are  found  to  be: 


f 

c= 

oC = 

ao 

P 

al 

al/ao=eo/el 

f+1 

. p 

4 

5 

.053 

2.0 

0.900 

0.10 

8.0 

8.0/2.0=4.00 

5 

6 

.049 

2.6 

O.901 

.099 

9.3 

9.3/2.6=3.58 

6 

7 

.051 

3.3 

0.898 

.102 

10.5 

10.5/3.3=3.l8 

7 

8 

.051 

4.0 

0.901 

.099 

11.8 

11.8/4.0=2.95 

8 

9 

.050 

4.7 

0.900 

.100 

13.0 

13.0/4.7=2.75 

9 

10 

.049 

5.4 

0.900 

.100 

14.2 

14.2/5.4=2.64 

10 

11 

.051 

6.2 

0.901 

.099 

15.5 

15.5/6.2=2.5 

6 

7 

*101 

3.9 

0.898 

.102 

10.5 

10.5/3.9=2.7 

7 

8 

*100 

4.6 

0.901 

.099 

11.8 

11.8/4.65=2.54 

8 

9 

*097 

5.4 

0.900 

.100 

13.O 

13.0/5.4=2.41 

9 

10 

*096 

6.2 

0.900 

.100 

14.2 

14.2/6.2=2.3 

10 

11 

*096 

7-0 

0.901 

.099 

15.5 

15.5/7  =2.22 

12 

13 

*097 

8.6 

0.908 

.092 

18. 

18.0/9.5=2.1 

13 

14 

.102 

9-5 

0.901 

.099 

19. 

19.0/9.5=2.0 

14 

15 

.100 

10.3 

0.895 

.105 

20. 

20.0/10/3=1.94 

At  this  point,  it  may  be  observed  that  as  in 
reliability  estimating  where  two  values  of  relia- 
bility and  two  associated  levels  of  probability 
are  needed  to  sufficiently  identify  a measure- 
ment (e.g*  reliability  for  90$  confidence  and 
reliability  for  best  estimate),  in  reliability 
decision  making  there  are  also  requirements  for 
two  values  of  reliability  and  two  associated 
levels  of  probability  or  risk  (e.g.  reliability 
at  producer's  risk  and  reliability  at  user's 
risk)*  In  each  instance,  the  four  parameters 
tie  down  the  quantity  of  data  needed  for  the 
estimate  or  decision* 

However,  for  reliability  decision  making, 
the  sequential  test  procedure  has  been  exploited 
as  a means  for  reaching  decisions  with  the  same 
levels  of  risks  with  less  data  on  the  average. 

This  decision  making  technique  is  employed  by 
Tables  5*1  and  5*2,  Reliability  Accept -Reject 
Criteria,  of  Military  Specification  MIL-R-2666? 
(USAF),  General  Specification  for  Reliability 
and  Longevity  Requirements,  Electronic  Equipments. 
For  Table  5*1,  ®q/&1  s 2 and  o ( = /3  ~ !0$* 

For  Table  5*2,  = 1*5  and  cC  = f3  s 10$. 

The  average  number  of  failures  to  reach  a deci- 
sion in  the  Table  5*1  test,  if  the  MTBF  is  that 
value  which  will  most  greatly  prolong  the  test,  is 
10*2  failures  (as  compared  with  13  in  the  common 
procedure)  but  will  reduce  greatly  for  values  of 
MTBF  much  higher  or  lower*  Similarly,  the 
average  number  of  failures  for  a decision  under 
the  same  conditions  for  the  Table  5*2  test  is 
30  failures.  If  a sequential  test  is  designed 

for  Q0/Qi  = 10  and  oC  = fi  - 10$,  then  the 
average  number  of  failures  to  decision  for  the 
most  prolonging  MTBF  is  approximately  one 
failure . 


(m  i 

Mr) 

where  In  represents  loge,  the  natural  logarithm. 
Other  sequential  test  formulas  are  shown  in 
Fig*  1* 

Early  consideration  resulted  in  the 
recommendation  that  procurement  requirements 
always  be  specified  in  terms  of  the  reliability 
associated  with  the  producer's  risk,  and  that 
design  always  be  capable  of  tolerating  the 
reliability  associated  with  the  user's  risk. 

The  continual  desire  to  push  the  R and  D frontier 
then  forces  ratios  of  ©o/e^  which  are  close  to 
unity  and  which  then  require  extended  test  or 
observation  periods.  Means  are  then  sought  to 
avoid  the  testing  all  together,  or  ignore  the 
penalty  associated  with  accepting  large  risks. 
Better  understanding  and  publicizing  of  the 
complete  set  of  parameters  needed  to  specify 
reliability  will  perhaps  force  more  of  the 
engineering  profession  to  recognize  this  problem 
and  adopt  greater  discipline  in  the  future. 

References 

1*  Advisory  Group  on  Reliability  of  Electronic 
Equipment,  Reliability  of  Military  Electronic 
Equipment,  Office  of  the  Assistant  Secretary 
of  Defense  (R  Sc  E),  4 June  1957,  P*  vii. 

2.  Burnett,  T*  L. , "Truncation  of  Sequential 
Life  Tests",  Proceedings  Eighth  National 
Sympo  si  um  on  Rel lability  and  Qual i ty  C on t rol , 
Washington,  D.  C* , January  19?£,  pp.  ~ f -13  * 

3*  Molina,  E.  C.,  Poisson's  Exponential  Binomial 
Limit,  Van  No strand.  Hew  York,  1942* 

4.  Staff  .of  the  Computation  Laboratory,  Tables 
of  the  Cummulative  Binomial  Probability 
Distribution,  Harvard  University  Press, 
Cambridge,  Mass.,  1955* 

5.  Garner,  N.  W*,  and  Vail,  R.  W*,  "Confidence 
Limits  for  System  Reliability",  Military 
Systems  Design,  September -October  1961, 

pp.  24-27. 


If  maximum  producer’s  protection  is  desired, 
we  can  set£?t  = 1$,  ~ 10$  and  ©0/©^  “ 10  and  find 

maximum  average  decision  at  4.5  failures.  The 
formula  for  the  average  number  of  failures  to 
decision  for  the  most  prolonging  MTBF  is: 


43 


SERVICE  EVALUATION  OF  WEAPONS  SYSTEM  RELIABILITY 


Captain  Mark  W.  Woods,  U.  S.  Navy 
Operational  Test  and  Evaluation  Force 
Norfolk  11,  Virginia 


Quoting  from  Webster* s Dictionary  M Reliable 
is  applied  to  a person  or  thing  that  can  be 
counted  upon  to  do  what  is  expected  or  required." 
This  is  precisely  the  attribute  that  the  Navy  and 
the  other  services  look  for  in  a missile  weapons 
system.  Evaluation  of  a missile  weapons  system 
to  determine  reliability  after  it  is  delivered  to 
the  fleet  is  a very  difficult  problem.  It  is  partic- 
ularly so  these  days  when  we  are  trying  to  reduce 
lead  times  in  the  introduction  of  new  equipments 
into  service  use.  This  process  inevitably  leads 
to  shortcuts  in  testing  all  along  the  line.  There 
is  seldom  time  during  development  and  produc- 
tion for  enough  repetitive  testing  of  components, 
equipments,  and  assembled  systems  to  get  a real 
measure  of  reliability  or  to  be  certain  all  design 
problems  have  been  solved.  Consequently, when 
the  first  of  a new  ship  class  with  a new  missile 
system  reports  to  Commander  Operational  Test 
and  Evaluation  Force  (COMOPTEVFOR),  it  in 
many  cases  is  not  sufficiently  debugged  to  be 
ready  for  comprehensive  reliability  testing. 
Nevertheless,  the  necessity  for  immediate 
commencement  of  some  measure  of  reliability 
is  essential.  The  reason  is  that  follow-on  ships 
will  be  joining  the  operational  forces  while  COM- 
OPTEVFOR is  still  testing  the  first  ship,  and 
the  tactical  commanders  must  have  some  know- 
ledge of  what  performance  to  expect.  This 
means  that  even  during  debugging  and  shake- 
down  testing,  the  Navy  must  exert  every  effort  to 
commence  obtaining  reliability  data  while 
identifying  and  correcting  problems  due  to 
inadequate  design,  incorrect  installations, 
insufficient  personnel  training  or  lack  of  docu- 
mentation and  spare  parts.  As  any  statistician 
will  vociferously  testify,  this  is  extremely 
difficult  to  do. 

The  initial  efforts  then,  to  measure  relia- 
bility of  a new  missile  system  at  sea, 
commences  with  the  first  unit.  The  quality  of 
these  measurements  improves  as  the  ship  pro- 
ceeds through  the  several  types  of  tests  and 
evaluations  under  COMOPTEVFOR  and  as  the 
various  problems  are  solved.  These  tests,  in 
the  case  of  a surface-to-air  missile  system, 
might  include  a Development  Assist  Test,  a 
Technical  Evaluation,  and  finally  an  Operational 
Evaluation.  In  a Development  Assist  Test,  COM- 
OPTEVFOR assists  the  Navy  Bureau  of  Weapons 
(BUWEPS)  in  final  isolation  of,  and  correction 
of,  design  problems.  The  Bureau  has  technical 


direction  of  the  project  and  COMOPTEVFOR 
controls  and  coordinates  the  operation  of  the 
fleet  units  and  services  involved.  This  type  test 
normally  has  heavy  participation  aboard  from  the 
major  equipment  contractors.  A Technical 
Evaluation  is  again  a joint  BUWEPS/COMOPTEV- 
FOR  operation  in  which  the  objective  is  to  satisfy 
both  parties  that  the  ship  is  ready  for  an  Opera- 
tional Evaluation  of  the  missile  system.  A 
mutually  agreed  upon  test  plan  is  used  and  again 
there  is  contractor  representation  aboard,  but 
their  participation  is  limited  so  as  to  determine 
the  readiness  of  ship*s  company  to  maintain  and 
operate  the  system.  The  final  test  is  an  Opera- 
tional Evaluation  planned  and  conducted  by  COM- 
OPTEVFOR. The  ship  is  on  its  own  with  no 
Bureau  or  contractor  help  and  is  put  through  a 
rigorous  test  in  the  sea  operational  environment. 

The  sequence  of  tests  is  not  always  in  this 
order.  Sometimes  we  start  with  a Technical 
Evaluation  and  find  it  necessary  to  drop  back  to 
a Development  Assist  to  correct  unforeseen  prob- 
lems. Other  times  something  new  turns  up  in  an 
Operational  Evaluation  calling  for  a modification 
of  proceedings.  The  important  point  is  that 
BUWEPS,  from  the  shore  establishment,  and 
COMOPTEVFOR,  representing  the  fleet,  are 
jointly  attempting  to  measure  system  reliability 
all  through  the  test  cycle.  In  the  past  we 
attempted  to  measure  system  reliability  only  in 
Operational  Evaluations,  when  we  weren*t  faced 
with  the  problem  of  sorting  out  reliability  fac- 
tors from  a large  number  of  troubles  due  to  de- 
bugging, design,  etc.  The  current  onrush  of 
new  ships,  however,  justifies  an  attempt  to 
accumulate  reliability  data  earlier  in  the  service 
at-sea  testing  process. 

It  is  not  meant  to  imply  here  that  component 
reliability  testing  does  not  occur  during  develop- 
ment and  production,  or  during  BUWEPS  testing 
on  the  firing  ranges  at  White  Sands,  at  China 
Lake,  and  from  the  test  ship  NORTON  SOUND. 
Since,  however,  the  Navy  has  not  been  able  to 
afford  preliminary  test  of  complete  tactical 
systems  ashore  or  in  R&D  ships,  all  elements 
of  the  system  ready  for  evaluation  in  the  sea 
environment  appear  together  for  the  first  time 
on  the  first  new  operational  ship.  It  is  the 
reliability  of  this  combatant  ship  and  its  missile 
system  that  is  of  vital  concern  to  the  fleet. 

Before  going  into  test  program  details,  a 
few  words  are  in  order  on  the  sea  environment. 


It  is  obvious  to  you  all  that  ships  will  roll3 
vibrate*  steam  in  all  kinds  of  weather,  and  have 
almost  as  many  sailors  on  board  per  square  foot 
as  college  men  in  a telephone  booth.  These 
factors  certainly  affect  operation  and  maintenance 
requirements.  What  may  not  be  so  obvious*  how- 
ever* is  how  stack  gases  eat  holes  in  plastic 
coverings  on  pressurized  wave  guide*  how  the 
computer  which  worked  fine  on  your  factory  floor 
at  85  degrees  ambient  temperature  overheats  in 
the  same  room  temperature  when  jammed  into 
the  corner  of  a ship's  compartment*  how  the 
working  and  heaving  of  a ship  Vs  structure  affects 
alignment  of  radars*  how  the  shock  of  a fighter 
aircraft  landing  on  a carrier  deck  affects  an  air- 
to-air  missile  carried  in  the  plane,  and  how 
cramped  or  exposed  spaces  restrict  the  number 
of  men  who  can  work  on  a piece  of  equipment. 

We  always  manage  to  solve  these  problems  event- 
ually for  a particular  system*  but  what  is  frus- 
trating is  that  in  many  cases  we  have  to  solve 
them  ail  over  again  for  new  systems.  Any  con- 
tractor providing  Navy  equipment  must  be  cog- 
nizant of  how  these  elements  of  environment 
could  effect  the  reliability  of  his  equipment. 

This  environment  also  affects  our  methods 
of  measuring  system  performance*  In  the  first 
place,  there  isn't  much  room  on  board  so  we 
can't  carry  large  disinterested  observing  teams. 
The  majority  of  the  data  must  be  recorded  by 
ship's  force.  This  means  the  requirements  must 
be  reasonable  and  not  unduly  interfere  with  other 
duties.  It  means  there  must  be  some  cross 
checks  built  into  the  procedure  to  identify  in- 
correct data.  It  means  adequate  instrumentation 
must  be  included  to  evaluate  system  and  missile 
flight  performance.  And  finally*  it  means  that 
when  we  have  an  equipment  breakdown*  we  must 
be  able  to  make  repairs  in  all  types  of  weather 
and  stormy  seas*  if  possible*  and  with  the  spares 
we  can  carry  on  board. 

In  setting  up  an  evaluation  program  for  a new 
ship  in  the  sea  environment,  we  have  many  objec- 
tives besides  determining  reliability.  As  men- 
tioned earlier  the  Development  Assist  Tests  and 
the  Technical  Evaluation  are  primarily  for  de- 
bugging and  certification  of  readiness  for  the  big 
test  which  is  the  Operational  Evaluation.  In  a 
few  words,  the  objective  of  the  Operational 
Evaluation  is  to  determine  readiness  of  the  sys- 
tem for  war.  Since  this  test  is  usually  longer 
and  involves  more  firings  than  previous  tests* 
we  often  uncover  additional  design  and  installa- 
tion problems.  Obviously*  we  continue  to 
measure  reliability.  We  also  measure  efficiency 
and  adequacy  of  logistic  support  and  of  personnel 
training  and  manning  levels.  This  includes  not 


only  firing  exercises  but  non- firing  tests  of  such 
things  as  resupply  of  missiles  at  sea  from 
ammunition  ships.  Hundreds  of  hours  are  used 
in  measuring  radar  detection  capabilities  and 
target  processing  time  starting  from  single  raids 
up  to  and  including  mass  saturation  attacks. 

Missile  firing  tests  are  always  limited  by  the 
availability  of  missiles.  There  are  never  enough 
missiles  to  optimize  tests  throughout  the  envelope 
strictly  for  reliability  purposes.  To  do  this 
requires  several  shots  at  a given  target  under 
almost  identical  performance  conditions  in  order 
to  be  able  to  state  reliability  with  a high  level  of 
statistical  confidence.  Remembering  that  this  is 
the  first  ship  of  a class,  there  are  still  unexplor- 
ed areas  of  the  performance  envelope.  During 
earlier  RDT&E  testing  we  are  usually  restricted 
for  safety  considerations  in  what  can  be  done  on 
the  land  range.  The  R&D  test  ship  normally  does 
not  have  the  full  tactical  system.  Consequently, 
of  first  priority  will  be  conduct  of  those  tests 
which  couldn't  be  done  anywhere  else.  This  not 
only  includes  several  new  missile  flight  trajec- 
tories* but  conducting  the  shots  with  such  added 
attractions  as  high  ship  speed*  high  roll*  guns 
firing*  etc.  It  also  includes  all  the  different 
possibilities  of  the  target  presentation  in  combat 
such  as  varying  speeds*  altitudes*  and  maneu- 
vers, Every  effort  is  made  to  eliminate 
unimportant  variables  and  to  combine  tests  so  as 
to  contribute  the  maximum  amount  of  data  for 
statistical  reliability  purposes.  The  order  of 
tests  is  also  randomized  as  much  as  possible  in 
order  to  eliminate  unpredicted  effects  of  time. 

Throughout  the  entire  test  program  we  must 
be  extremely  careful  that  we  don't  identify  un- 
reliability when  in  truth  the  problem  is  more  due 
to  inexperienced  personnel*  unavailable  spare 
parts*  improper  documentation  and  procedures* 
or  just  plain  unrealistic  requirements  in  the  sea 
environment.  But  we  have  to  be  just  as  careful 
on  the  other  side  of  the  coin  to  resist  the  siren 
song  of  some  contractors  saying  that  if  we  will 
just  train  our  men  to  the  level  of  engineers  and 
buy  enough  spares  our  problems  will  be  solved. 
Obviously  we  will  never  be  able  to  train  all  our 
men  to  be  systems  engineers.  Nor  will  our 
logistics  system  support  great  quantities  of 
spares.  One  reason  the  Navy  insists  on  conduct- 
ing Operational  Evaluations  with  fleet  ships 
under  COMOPTEVFOR  is  that  fleet  personnel 
have  the  most  realistic  appreciation  for  our 
reasonable  capabilities  in  training  and  logistic 
support. 

As  a final  comment  on  the  test  program*  it 
is  important  to  understand  that  much  of  our 
support  comes  from  fleet  units  and  activities. 


46 


This  is  true  for  all  our  tests  at  sea  whether  for  a 
Development  Assist  Test  or  an  Operational 
Evaluation,  Since  these  units  and  activities  do 
much  more  than  support  our  test  and  evaluation 
operations,  efficiency  in  the  use  of  services  is 
essential.  These  services  must  be  scheduled 
months  ahead  of  time  and  are  not  easily  respon- 
sive to  last  minute  changes.  Let  me  urge  then 
that  any  of  you,  whether  service  or  contractor 
personnel,  who  find  yourselves  involved  in  tests 
at  sea  do  the  very  best  advance  planning  you 
possibly  can  to  take  advantage  of  fleet  services 
when  scheduled* 

Let  me  now  go  into  some  detail  on  how  the 
Navy  measures  reliability  in  the  TALOS, 
TERRIER  and  TARTAR  Surface -to- Air  missile 
systems.  As  implied  earlier,  we  don't  stop 
measuring  reliability  on  completion  of  GPTEV- 
FOR  tests.  We  must  continue  to  measure  re- 
liability and  readiness  throughout  the  service  life 
of  the  missile  system  on  all  ships.  This  requires 
that  the  measurement  procedure  be  the  same  on 
all  ships  if  we  are  to  get  any  meaningful  statis- 
tics. The  procedure  must  also  be  broad  enough 
to  provide  the  needs  of  all  the  interested  activi- 
ties such  as  CGMOPTEVFOR,  the  Navy's  Tech- 
nical Bureaus  and  the  Fleet  Commanders.  The 
detailed  methods  we  used  a few  years  ago  when 
we  had  only  a small  number  of  missile  ships  are 
not  now  equal  to  our  needs.  We  have  learned  a 
lot  from  the  many  ships  which  commenced  join- 
ing the  fleet  last  year.  As  a result  of  a rather 
long  study,  with  inputs  from  the  many  interested 
activities,  the  Bureau  of  Weapons  and  the  Bureau 
of  Ships  have  recently  published  a revised 
Standard  Reporting  Procedure  for  Surface-to-Air 
Missile  System  Operability  and  Maintenance. 

This  procedure  will  be  used  by  all  surface-to-air 
missile  ships  whether  in  the  test  and  evaluation 
status  or  in  fleet  operations.  Modifications  to 
suit  the  needs  of  a particular  activity  will  be  by 
addition  and  not  deletion  of  any  of  the  require- 
ments . 

The  overall  system  includes  reporting  in  the 
following  categories: 

a.  Component  Failures, 

b.  System  Material  Operability  and  Mainten- 
ance. 

(1)  Missiles, 

(2)  Non- expendable  Equipment. 

c.  Missile  Firings. 

d.  Commanding  Officer's  Quarterly  Narra- 
tive Reports, 

Items  a through  c are  reported  on  with  forms 
provided  to  the  ship.  Item  d,  the  Commanding 
Officer's  Narrative,  is  a letter  report  covering 


anything  else  in  addition  that  the  Commanding 
Officer  feels  is  pertinent  but  must  include  a short 
summary  of  his  operations,  overall  weapons 
system  appraisal,  spare  parts  adequacy,  system 
documentation  adequacy,  personnel  status,  out- 
side technical  assistance  requested  and  received, 
plus  any  recommendations. 

Component  Failure  and  Missile  Firing 
Reports  are  filled  out  and  mailed  to  prescribed 
activities  when  occurring.  Although  these  are 
officially  compiled  and  analyzed  by  designated 
organisations,  all  appropriate  contractors  may 
receive  copies  of  failure  reports  and  all  appro- 
priate missile  ships  and  fleet  commands  receive 
direct  copies  of  firing  reports.  The  System 
Material  Operability  and  Maintenance  reports  on 
Missiles  consist  of  results  of  periodic  missile 
systems  tests  of  the  depot  stockpile  and  ships 
magazine  loads.  These  reports  are  compiled 
and  analyzed  by  the  same  agency  that  analyzes 
flight  tests. 

1 would  now  like  to  go  into  some  detail  on  the 
System  Material  Operability  and  Maintenance 
Reports  of  Non- Expendable  Equipment.  Here  is 
where  we  get  a feel  for  the  readiness  or  relia- 
bility of  the  installed  support  equipments  such  as 
search  and  detection  radars,  fire  control  radars, 
computers,  etc.  The  report  makes  use  of  the 
following  formula: 

Pe  = Pa  x Pr 
whe  re; 

Pe  - System  Material  Effectiveness  Factor 
expressed  as  a decimal  or  percent. 

Pa  = System  Availability  Factor. 

Pr  = System  Reliability  Factor. 

The  Pa,  Availability  Factor,  is  based  on  the 
scoring  of  a Daily  Systems  Operability  Test 
(DSOT)  and  is  the  average  score  obtained  over  a 
month's  period.  The  DSOT  consists  of  a com- 
plete dynamic  test  of  all  major  elements  when 
operating  together  as  a system.  It  is  the  best 
test  that  can  be  devised  which  can  be  run  in  a 
reasonable  period  of  time,  say  1/2  hour,  to  give 
high  assurance  that  the  system  is  ready  for  use. 
The  score  is  determined  by  a formalized  proce- 
dure and  is  a function  of  how  long  it  took  the 
ship  to  pass  the  test  correcting  any  deficiencies 
found.  As  many  DSOTs  can  be  run  as  desired 
either  on  a planned  or  surprise  basis,  they  all 
count  on  the  monthly  average  score. 

The  Pr,  Reliability  Factor,  takes  care  of 
what  we  might  expect  the  system  reliability  to  be; 
between  DSOTs.  It  is  a function  of  the  mean 
time  between  breakdowns  MTM  anywhere  in  the 
system  and  the  interval  ITlfl  between  DSOTs. 
These  are  figured  over  a month's  basis  and  the 


ship  computes  a function  T / 1.  Using  T/I  and  a 
graph  provided  by  BUWEPS,  a value  is  obtained 
for  Pr,  The  graph  is  based  on  predicted  failure 
rates  of  components  with  time.  The  longer  the 
measured  interval  between  breakdowns,  the 
higher  the  Pr.  The  shorter  the  interval  between 
DSOTs,  at  which  time  the  system  is  known  to  be 
operational,  the  higher  the  Pr  score.  The  Pr 
value  gives  a direct  measure  of  how  equipment  is 
performing  on  a particular  ship  being  directly 
responsive  to  that  shiprs  failure  rates  and  testing 
frequency. 

One  other  important  record  is  required  by  the 
ship  in  order  to  easily  tell  why  the  ship  may  have 
a high  or  low  overall  Pe,  Material  Effectiveness 
factor.  The  previously  mentioned  Component 
Failure  Reports  could  provide  this  data  with 
enough  correlative  effort.  To  have  a ready  refer- 
ence, however,  another  form  called  the  Equip- 
ment Status  Report  is  used.  This  form  is  kept 
on  each  major  equipment  such  as  radar,  launcher 
etc.  and  provides  for  filling  in  a status  category 
for  each  hour  of  the  day  over  a week*s  period. 

The  various  categories  are  as  follows: 

a.  Operating  at  Full  Capability. 

b.  Operating  at  Reduced  Capability.  This 
might  include  some  automatic  functions 
being  out  of  commission  but  the  system 
is  still  operating  by  manual  inputs 
although  at  reduced  firing  rate. 

c.  Undergoing  Systems  Test. 

d.  Standby  - low  voltages  applied  only. 

e.  Shut  Off. 

f.  Non-Interruptive  Preventive  Maintenance, 
in  progress  - could  still  fire  if  needed. 

g.  Inactive  - ship  in  Navy  Yard,  etc. 

h.  Interruptive  Preventive  Maintenance  in 
progress. 

j.  Undergoing  Modification. 

k.  Down  - Undergoing  Corrective  Mainten- 
ance. 

l.  Reduced  Capability  - Undergoing  Preven- 
tive Maintenance. 

m.  Down  - Awaiting  Spares. 

n.  Down  - Equipment  Cannibalized. 

p.  Down  - Failure  of  Support  Equipment- 
test  equipment,  ship1  s power  supply,  etc. 

q.  Down  - Require  Outside  Help, 

It  may  appear  from  what  has  just  been  dis- 
cussed that  the  Navy  will  have  to  man  ships  with 
mathematicians  and  stenographers  to  use  the 
new  Bureau  reporting  system.  IPs  not  quite  as 
bad  as  it  looks  since  all  the  forms  are  provided 
and  it  is  simply  a matter  of  following  instruc- 
tions. As  can  be  seen,  there  are  some  cross 
checks  built  into  the  plan  which  should  help  iden- 


tify bad  data.  As  mentioned  before,  the  plan  is 
based  on  earlier  experiences  and  evaluations 
wherein  we  have,  at  times,  had  need  for  all  the 
data  now  required.  Certainly,  the  new  procedure 
will  require  a serious  and  time  consuming  effort 
on  the  part  of  the  ship*s  company.  There  isn*t 
any  doubt  in  our  minds  that  our  ship^  personnel 
are  equal  to  the  task  or  that  this  effort  is  essen- 
tial to  a valid  prediction  of  combat  capability. 

In  conclusion,  let  me  emphasize  that  the 
objective  of  testing,  in  the  sea  environment  is  to 
simulate  in  peacetime,  all  the  requirements  we 
can  foresee  during  war,  --  to  give  everthing  a 
chance  to  happen  that  could  happen.  It  is  this 
requirement  that  dictates  continuous  efforts  to 
record  and  analyze  reliability  data  at  every 
opportunity  in  the  formal  testing  cycle  of  new 
systems  as  well  as  during  subsequent  operations 
of  all  fleet  units.  The  real  pay  off  and  the  tough- 
est part  of  the  job  comes  in  the  analysis  and  for- 
mulation of  conclusions.  Decisions  on  how  to 
improve  reliability  are  usually  the  most  diffi- 
cult to  formulate  in  the  marginal  cases;  that  is, 
in  those  situations  where  any  one  of  several 
feasible  courses  of  action  might  suffice,  such  as 
more  comprehensive  personnel  training,  a 
larger  stockpile  of  parts,  or  a redesign  of  some 
component.  Obviously,  pursuance  of  all  three 
is  the  best  solution.  However,  efficient  use  of 
manpower  and  funds  usually  dictates  otherwise. 
The  talents  and  brains,  objectively  used,  of  the 
whole  Service  and  Industry  team  are  required  if 
these  decisions  are  going  to  be  timely  and 
correct.  The  best  practice  in  Industry,  of 
course,  is  to  design  and  build  reliability  into 
equipment  in  the  first  place,  to  give  reliability 
just  as  high  a priority  as  performance.  Highly 
reliable  defense  products  not  only  promote  in- 
dividual company  reputations,  but  the  greater 
welfare  of  our  Nation  as  well.  In  the  Services 
we  also  have  work  to  do  in  the  continuous  exami- 
nation of  our  specifications,  and  the  stating  of 
our  needs  as  precisely  as  possible.  Only  by 
such  an  enlightened,  combined  effort  can  we  buy 
with  out  dollars  the  "BANG”  we  can  count  on 
when  our  sailors,  soldiers,  or  airmen  close  the 
firing  key. 


48 


HgLIABILin  TECHNIQUES  IN  PRODUCTION 


B.  L«  Lubelsky 

Lockheed  Missiles  and  Space  Company 
Sunnyvale  , California 


When  discussing  "Be liability”  activities,  I 
am  including  all  special  functions  devoted 
principally  to  enhancing  total  product  quality — 
and  those  functions  known  as  quality  control  and/ 
or  inspection  are,  of  course,  of  major  importance 
in  production  areas*  In  addition,  while  the 
Reliability  engineering  activity  has  largely  been 
identified  with  the  design  activities,  the  pro- 
duction of  reliable  hardware  in  conformance  with 
approved  engineering  designs  is  also  a Reli- 
ability engineering  area  of  effort. 

Design  Definition  Review 

1*  This  function  can  be  classified  as 
either  one  of  the  end  functions  of  the  design 
phase  or  as  one  of  the  starting  functions  of  the 
production  phase, 

2,  The  purpose  is  to  make  sure  the 
designer’s  intent  is  fully  and  completely 
communicated  to  the  technicians  who  will  convert 
It  into  hardware  and  to  the  inspectors  who  will 
test  and  inspect  it. 

Manufacturing  Paper  Review 

Most  people  not  closely  connected  with  pro- 
duction activities,  and  this  includes  most 
designers,  are  under  the  illusion  that  manufac- 
turing people  work  directly  and  only  from  the 
engineering  design. 

1.  Production  activities  have  their  own 
special  "family”  of  planning  and  process  paper 
which  is  used  to  convert  the  engineering  design 
into  the  detailed  instructions  necessary  for 
manufacturing . This  may  include  substituting 
"equivalent”  standard  manufacturing  process 
specifications  for  the  design -produced  process 
specifications.  While  these  manufacturing  specs 
may  start  out  as  "equivalents?  changes  and 
necessity  may  soon  eause  significant  differences, 

2.  Reliability  engineering  review  of  the 
production  planning  and  process  paper  to  assure 
its  compatibility  with  the  designer’s  intent  is 
one  of  the  more  important  production  reliability 
activities.  This  is  done  on  a sampling  basis 
with  unsatisfactory  areas  receiving  further 
detailed  investigation. 

Manufacturing  Production  Planning 

This  Reliability  area  includes  both  general 
requirements,  such  as  cleanliness  and  good 


lighting,  and  detailed  requirements  relating  to 
material  flow,  work  station  layout,  process 
equipment  and  control,  material  handling,  pack- 
ing, and  many  others, 

1.  Reliability  review  of  production  plan- 
ning, while  it  is  still  planning,  often  discloses 
conditions  which  are  not  favorable  toward  the 
consistent  production  of  reliable  hardware.  Such 
unsatisfactory  conditions,  such  as  failure  to 
provide  for  a "clean  room"  for  production  of 
delicate  electronics  equipment,  can  be  forced  to 
general  management  attention  so  that  the  delete- 
rious effects  on  production  reliability  axe 
appreciated  and  considered  in  reaching  a final 
decision. 

2.  Continuing  review  of  production  practice 
changes  is  also  necessary  as  a change  which  may 
appear  to  be  desirable  for  economy  of  time  or 
money  is  often  detrimental  to  reliability  and 
may,  in  final  balance,  cause  extra  costs  rather 
than  achieving  savings. 

3.  Independent  outside  audit  of  chemical 
process  specifications  may  sometimes  be  required 
to  ascertain  whether  or  not  the  specified  process 
will,  in  fact,  produce  the  plating,  painting, 
anodizing,  welding  or  other  result  required. 

Test  and  Inspection 

This  is  the  big  area  of  quality  control — 
the  joh  of  measuring  hardware  dimensional  and 
functional  characteristics,  comparing  them  with 
the  design  requirements  and  recording  the  results. 
Statistical  tools  such  as  lot  sampling  and  show- 
how  process  charts  may  be  of  value  in  this  area — 
particularly  if  volume  is  large  and  automatic 
test/inspection  equipment  is  not  used. 

1.  While  "inspector”  seems  to  he  a depre- 
ciated word — this  is  the  area  of  test  and 
inspection  by  an  "inspector"  Certain  quality 
functions  such  as  test  and  inspection  planning 
are  required  to  assist  the  inspector  and  certain 
data  handling  techniques  are  useful  in  identify- 
ing trouble  areas  not  immediately  apparent  during 
normal  inspection  operations. 

2.  As  "check  and  balance"  is  one  of  the 
basic  premises  behind  Reliability  activities,  an 
audit  of  quality  control  planning,  procedures  and 
activities  is  required. 

3*  Failure  diagnosis  by  engineering 
(design,  reliability  and  production)  personnel 
to  determine  primary  failure  causes  on  both 


factory  e.id  field  failures  will  speed  effective 
corrective  action  (design,  production  or  procure- 
ment) to  prevent  continuous  recurrence  of  the 
failure  mode, 

4.  Participation  in  Material  Review 
activities  to  assure  against  unacceptable 
material  getting  used  is  also  a very  important 
production  quality  control  function. 

Conclusion 


I have  just  described  to  you  some  of  the 
major  product  quality  functions  in  the  production 
portion  of  the  design -produce -use  chain.  Under 
tactical  production  situations  a repair/overhaul 
cycle  on  field-returned  material  is  a separate 
portion  of  the  production  activity  which  must 
receive  Special  attention  in  all  of  the  previously 
mentioned  areas.  As  nine  hundred  and  ninety -nine 
departures  from  the  designer's  intent  will  degrade 
quality  as  compared  to  one  or  two  which  might 
improve  it,  the  production  product  quality 
function  is  to  insure  and  assure  full  design 
conformance . 


50 


ECONOMIC  CONSIDERATIONS  OF  RELIABILITY 


F.  E.  Wenger  , 'M 

AFSC,  Andrews  AFB,  Md 


The  subject  of  this  presentation  "Economic 
Considerations  of  He liability"  is  like  trying  to 
put  a value  on  life  or  freedom,  for  this  is  just 
what  the  reliability  of  our  systems  means  to  us. 
The  purpose  of  this  speech  is  to  stimulate  think- 
ing  and  action,  not  to  give  all  the  answers.  The 
barrier  which  I am  trying  to  overcome  is  not  heat 
or  sound  but  that  of  mind;  this  appears  to  be  the 
only  barrier  man  is  confronted  with  anyhow.  We 
must  not  be  limited  by  mental  blocks,  such  as  — 
we  cannot  use  this  reliable  part  because  it  costs 
15  cents  more  than  a conventional  one , and  we 
cannot  stand  the  extra  cost.  This  statement,  on 
a 50  million  dollar  or  100  million  dollar  pro- 
gram — a part  failure  can  cause  an  abort  at  the 
launching  site  at  a cost  of  millions  of  dollars, 
plus  an  exhaustive  search  for  similar  defective 
parts  in  other  systems,  which  is* more  costly 
than  all  the  parts  used  in  the  equipment. 

Thousands  of  words  have  been  written  on 
reams  of  paper  on  how  to  increase  reliability, 
but  all  this  has  accomplished  is  to  demonstrate 
that  you  cannot  solve  the  reliability  problem  by 
oratory,  any  more  than  you  can  clear  a traffic 
jam  by  blowing  a horn,  and  the  best  reliability 
program  is  useless  unless  there  is  someone  to 
bundle  up  the  reliability  requirements  in  the 
program  and  turn  over  reliable  equipment  to  the 
customer*  How  good  a job  you,  the  producer, 
have  done  is  determined  when  we,  the  customer, 
use  it. 

We  hear  a great  deal  about  the  cost  of  Reli- 
ability, but  I would  like  to  make  a categorical 
statement  that  Reliability  does  not  increase 
cost,  but  the  achievement  of  realistic  reliabili- 
ty figures  pays  in  dollars,  in  time,  and  above 
all,  in  systems  effectiveness  or  readiness.  I 
would  like  to  pose  a question  to  you  — if  you 
had  a million  dollar  metalworking  machine  that 
was  vital  to  your  survival,  and  its  reliability 
was  33%  and  its  availability  only  3 hours  out  of 
24 f at  a maintenance  cost  of  $1,000  per  day  — 
would  you  hesitate  to  spend  another  $250,000  to 
achieve  90%  reliability  with  an  availability  of 
20  out  of  24  hours  and  a maintenance  cost  of  $50 
per  day  — your  answer  would  be,  let’s  get  on 
with  the  program. 

To  stimulate  your  thinking  and  to  illustrate 
the  savings  that  can  accrue  in  a total  reliabili- 
ty program,  I have  chosen  a few  representative 
examples  of  what  can  be  achieved. 

Savings  are  defined  as  money  not  spent  for 
maintenance  of  a system  due  to  increased  reli- 
ability.  I will  also  illustrate  how  total  cost 
reduction  can  be  achieved  through  increased 
availability  of  a system* 


The  tremendous  savings  of  money  that  reli- 
ability (properly  used)  can  achieve  for  the 
military  is  almost  unbelievable.  The  first 
example  will  be  concerned  with  a simple  electron 
tube  — not  much  chance  for  cost  reduction  here 
— well,  let’s  see. 

The  5814  type  electron  tube  is  presently 
issued  at  the  rate  of  £00,000  per  year  to  Air 
Force  operational  forces.  These  are  replacement 
parts;  each  one  represents  a maintenance  action 
and  all  of  the  logistics  actions  associated  with 
a maintenance  action,  A review  of  the  cost  to 
the  Air  Force  of  removing  an  equipment  from  an 
aircraft,  and/or  missile,  checking  of  the  equip- 
ment, removing  and  replacing  the  defective  part, 
realigning  the  equipment,  and  reinstalling  the 
equipment  into  the  systems,  shows  a cost  of 
between  5 and  353  dollars. 

For  the  purpose  of  this  illustration,  I will 
use  the  lowest  figure  of  $5*00  per  maintenance 
action.  Let  us  assume  that  we  can  buy  this  tube 
at  various  reliability  levels  as  shown  on  this 
slide . 

SLIDE  1 

FAILURE  RATE 


14/1000  hrs 
0. 156/1000  hrs 
0.0156/1000  hrs 
0.00156.1000  hrs 
0.000556/1000  hrs 
0.000156/1000  hrs 

SLIDE  2 

This  slide  shows  relationships  between  fail- 
ure  rates,  the  number  of  tubes  needed  per  year, 
maintenance  cost  at  $5*00  per  maintenance  action, 
total  tube  cost  at  each  failure  rate.  This  cost 
is  based  on  a hypothetical  tube.  As  you  know, 
tubes  with  such  low  failure  rates  are  not 
available  as  yet. 

The  cost  of  buying  this  tube  under  present 
practices  is  $800,000  and  the  cost  of  maintenance 
action  to  replace  this  tube  at  $5*00  per  mainte- 
nance action  is  $4  million  (startling  isn’t  iti) 
so  the  total  cost  to  the  Air  Force  is  4.8 
million  dollars. 

1 am  going  to  hold  this  slide  for  a few 
moments  to  give  you  time  to  digest  its  import, 

I stated  at  the  beginning  that  I wanted  to 
stimulate  thinking.  This  should  do  it.  but  more 
important,  reliability  techniques  and  procedures 
can  be  applied  to  show  real  progress  in  cutting 
expenditures . 


COST/ITEM 

$1.00  present  practice 
$3*00  (hypothetical  fig) 
$9.00  ( " ) 

$27.00  ( " ) 

$50,00  ( Tl  ) 

$100,00  ( " ) 


31 


In  passing,  it  is  worthy  to  note  that  we 
could  pay  $11,995  for  a single  tube  having  a 
failure  rate  of  0,0005%/l, 000  hrs  without 
increasing  present  expenditures* 

The  next  example  will  be  concerned  with  an 
equipment,  specifically  the  412L  system.  This 
system  is  composed  of  13  subsystems  (AN/GPA-73) 
whose  parts  complement,  added  together,  total 
8 million  semiconductors  and  30  million  other 
electronic  parts.  This  is  greater  than  the 
total  number  of  electronic  parts  found  in  a 
modern  city  of  one  million  inhabitants,  counting 
all  radios,  television  sets,  transmitting 
stations,  the  telephone  system,  phonographs, 
amateur  radio  systems,  radio  operated  garage 
door  controls,  etc.  In  addition,  the  basic  412L 
system  is  associated  with  data  acquisition 
equipment  which  contains  an  additional  estimated 

882.000  electronic  parts,  a communi cat ions  Sub- 
system with  an  estimated  2 million  parts  and 
ancillary  equipment  totaling  an  estimated 

500.000  parts.  This  adds  up  to  41,382,000 
electronic  parts  in  the  complete  412 L system. 

The  complexity  of  the  412L  system  poses  a 
severe  reliability  problem.  In  June  1959,  the 
formula  of  paragraph  3*2  of  MIL-R-26474  was 
utilized  to  compute  the  reliability  o£  one 
AN/GPA-73,  hereafter  called  subsystem  (without 
consideration  of  the  data  acquisition,  communi- 
cations or  ancillary  equipments).  This  formula, 
which  reflects' the  state  of  the  art  (i.e.,  that 
reliability  obtainable  without  the  use  of  special 
parts,  extreme  derating,  etc)  predicted  that  the 
system  would  experience  28,500  failures  for  each 

10.000  hours  of  elapsed  time. 

In  January  I960  another  prediction  was  made 
which  considered  the  derating  and  cooling  which 
would  be  applied  to  the  parts,  and  a prediction 
of  13,092  failures  per  10,000  elapsed  time  hours 
was  made.  This  is,  of  course,  still  greater  than 
one  failure  an  hour.  The  contractor  then  embarked 
on  an  aggressive  reliability  program  which  in- 
cluded the  generation  of  specifications  for 
special  high  reliability  parts. 

In  January  1961,  a Monte  Carlo  simulation  of 
the  subsystem  operation  was  made  incorporating 
the  latest  expected  part  failure  rates,  and  the 
results  indicated  a reduction  of  the  failure  rate 
to  about  155  failures  per  10,000  hours  of  elapsed 
time.  It  should  be  noted,  this  prediction  elim- 
inated part  failures  which  would  not  cause  system 
‘failure*  This  would  cause  the  improvement  to  ap- 
pear greater  than  it  really  is.  This  was  taken 
into  consideration  by  allowing  an  adequate  safety 
margin  in  our  computations.  The  412L  system, 
(considering  only  the  13  AN/GPA-73s)  will  cost  an 
estimated  total  of  $195,000,000.  Government  fur- 
nished equipment  and  site  construction  will  double 
this  figure.  The  reliability  program  cost  - 
$1.46  million. 


In  considering  the  economies  of  the  program, 
however,  many  viewpoints  may  be  taken  with  vary- 
ing advantages  and  risks.  Three  of  these  view- 
points will  be  discussed. 

The  first  economic  viewpoint  will  consider 
monetary  considerations  exclusively,  and  will 
assume  a ten  year  equipment  life.  It  was  pre- 
viously shown  that  the  difference  in  the  1959  and 
1961  reliability  predictions  is  28,345  failures 
per  10,000  hours.  Adding  a safety  factor  to  com- 
pensate for  the  fact  that  the  1961  prediction 
included  only  functional  failures,  it  is  esti- 
mated that  28,500  failures/10,000  hours  would 
occur  under  the  1959  predictions  and  500  failures/ 

10.000  hours  for  the  1961  prediction  with  the 
safety  factor  previously  mentioned.  Using  the 
$5,00  maintenance  costs,  which  is  way  low,  there 
would  be  a $140,000  savings  per  set  per  10,000 
hours.  For  the  10  year  period  using  13  sets, 
there  would  be  a saving  of  $15,955,000  due  to 
improved  reliability. 

Let  us  look  at  it  another  way,  the  28,500 
failures  per  10,000  hours  predicted  in  1959,  when 
coupled  with  expected  repair  rates  of  12  minutes 
for  display  portions  and  6 minutes  for  data 
processing  portions  of  the  subsystem  would  have 
resulted  in  a total  of  2,800  hours  of  downtime 
out  of  every  10,000  hours  elapsed  time.  The  fig- 
ures predicted  in  1961  with  the  same  repair  time 
would  result  in  an  expected  downtime  of  only 
21.5  hours  out  of  every  10,000  hours.  This  means 
the  subsystem  envisioned  in  1959  would  have  been 
available  for  duty  about  72%  of  the  time.  The 
system  envisioned  in  1961  would  be  available  over 
99%  of  the  time.  Applying  the  safety  factor  for 
the  difference  in  prediction  methods  and  using  a 
90%  availability  from  the  1961  prediction, 
availability  will  have  jumped'  from  72%  in  1959  to 
90%  in  1961.  This  occurred  at  a cost  of  relia- 
bility of  $1.46  million  in  a $295  million  con- 
tract, or  about  3/4  of  1%  of  the  system  cost 
(not  including  GFE  or  site  construction).  A 
0.75%  increase  in  program  cost,  therefore,  bought 
a plus  18%  increase  in  the  availability  of  each 
subsystem. 

There  is  still  a third  method  of  figuring  the 
economics  of  reliability.  This  method  is  concern- 
ed with  putting  a value  on  reliability  based  on 
cost  per  hour  of  operation,  the  contractor  reasons 
that  the  cost  of  the  system  in  10  years  would  be 
295  million  dollars  plus  the  operating  costs  of 
$40  million  per  year  or  a total  of  695  million. 
This  establishes  a value  for  the  13  sets  of  about 

8.000  dollars  per  hour  over  the  87,600  hours  in 
the  10  year  period.  A single  subsystem  would, 
therefore,  be  worth  $615  an  hour.  Therefore, 
using  the  1959  prediction,  the  subsystem  would  be 
out  of  commission  28%  of  the  time  or  about  2800 
hours  per  10,000  hours  resulting  in  a cost  of 
$1,722,000.  Using  the  1961  prediction,  the  sub- 
system would  be  out  of  commission  10%  of  the  time 


52 


or  1,000  hours  per  10,000  hours,  resulting  in  a 
cost  of  $615,000  for  the  downtime  period* 

Since  there  are  a total  of  13  subsystems  in  a 
complete  system,  there  would  be  a dollar  savings 
of  $12,840,000  in  downtime  for  an  investment  of 
$1*46  million  in  reliability.  This  slide  sum- 
marizes the  three  methods  of  evaluating  the 
economics  of  reliability, 

SLIDE  3 


An  example  of  simple  reliability  practices 
providing  comparatively  large  gains  in  both 
reliability  and  operating  economy  is  provided  by 
a display  system  now  in  development.  This  system 
contains  3400  indicator  light  bulbs.  To  maintain 
a required  failure  rate  of  1%  per  1,000  hours, 
they  must  be  replaced  by  preventative  maintenance 
before  the  wear out  portion  of  their  life  is 
reached.  Under  normal  conditions  this  would  re- 
quire the  replacement  of  each  bulb  after  about 
400  hours  of  operation.  At  thirty  cents  a bulb, 
this  would  cost  the  Air  Force  $1,020  every  400 
hours  or  an  operating  cost  for  bulb  replacement 
alone,  of  about  $22,000  each  year.  By  derating 
the  bulbs  to  operate  at  12  volts  instead  of  at 
the  rated  14,  the  replacement  period  will  be  in- 
creased by  six  times.  The  bulbs  would  therefore, 
need  replacement  only  every  2,400  hours,  or  less 
than  four  times  a year,  for  a yearly  cost  of  less 
than  $4,000.  $18,000  will  be  saved  each  year. 

I think  it  is  fitting  to  close  this  paper 
with  some  figures  from  a program  you  have  all 
heard  about  — TACAN. 

The  TACAN  equipment,  military  nomenclature 
AN/ARN-21,  has  evolved  through  models  A,  B,  and 
finally  C.  The  A and  B models  were  procured 
without  reliability  as  a specified  requirement 
and  were  delivered  with  a mean  time  between 
failure  (MTBF)  of  17.5  hours.  The  C model  was 
purchased  with  a 150  hour  MTBF  requirement.  The 
contractor  met  the  requirement. 

The  records  of  the  Air  Force  show  that  the 
average  cost  per  maintenance  action  of  the  TACAN 
equipment  is  $147.00.  At  17.5  hr  MTBF  the  cost/ 
year  for  logistic  support  is  $8,400  per  set. 
Approximately  16,000  sets  are  in  use.  The  total 
logistic  cost  per  year  is  approximately  $134*2 
million.  The  C model  TACAN  at  150  MTBF  cost  only 
$980/year  to  support.  The  total  logistic  support 
cost  is  approximately  $15*7  million/year. 


By  enforcing  the  reliability  requirement  for 
the  C model  TACAN,  the  Air  Force  is  realizing  a 
yearly  savings  of  approximately  $118.5  million. 
This  slide  shows  this  support  savings  on  a basis 
of  reliability  vs.  per  set  year. 

Incidentally,  the  C model  sets  having  150 
hrs  MTBF  cost  $300  less  than  the  A and  B model 
17.5  MTBF  sets,  and  has  higher  performance 
characteristics . 

SLIDE  4 


ACKNOWLEDGEMENTS: 

The  writer  wishes  to  acknowledge  the  contri- 
butions made  by  Mr.  F.  Ruther  (AFLC)  and  Mr* 

A.  Coppola  (AFSG)  to  the  content  of  this  paper. 


53 


p 

o 


o 


$ 


w 


>»  p 
Q)  Cj 
C Q) 
O pu 
S CO 


P 

w 

T3  O 
C O 
cd 

<D 

ij  S 

£ S 
, 0) 
I— I -p 

cd  G 
-P  *H 

5dS 


TJ  P 
0)  W 
P O 

P CD 
OT  P 
W M 


Cd  P 
P (0 
O O 
Eh  O 


CD  P 

G S 

CO  c 
(DOO 
P • cd 
C IT\  H 
•h<*>  a 

^ ® (S 


§ 

•H 


0) 

G 

rH  CD 
•H  P 
cd  cd 
Pk  P4 


O 

O 


O 

O 

O 

•v 

o 

o 

to 


o 

8 

CD 

8^ 

«sT 


O 

vO 


£ 


o 

o 


8 

o 

o 

(V 


o 

o 

o 


to 

5 


o 

o 

•sf 

O 


on 


o 

o 

o 

•s 

C\i 

o 


o 

o 

o 


c\i 


o 

o 

vO 

•s 

rH 

CV 


O 

O 

O 


O O 

5 ** 


8 


§ 


O 

O 

vO 

to 

o 

c- 


Ttf. 
in 
O 

o o 
o o 


o 

o 

o 

vO 

to 

o 


o 

8^ 

O 

O 

O 

§ 

8 

vO 

8 8 

O (V 

CD 

O 

to 

c r 

g 

rH 

in 

(V 

oT  to 

CM 

8 8 8 


o 

in 


O 

O 

O 

* 

o 

cv 


o 

o 

o 


o 

o 


o 

o 

o 


0)  P 
p cx 

o 

o 

o 

o 

o 

o 

o g 

o 

o 

o 

o 

o 

tc 

•H  G 

o 

o 

o 

to 

T)  W 
0)  C 

^ o 
P-t  o 

o 

o 

to 

to 

to 

o 

o 

o 


55 


THIS  SLIDE  SUMMARIZES  THE  TACAN  DATA  ON  A YEARLY  COST  BASIS 


56 


RELIABILITY  RESEARCH  NEEDS 


. " i 

<2  ' ■ <’ 


E.  J.  Nucci 

Office  of  the  Director  of  Defense  Research  and  Engineering 
Washington,  D.  C. 


Summary 


Research  Needs  in  Reliability 


Experience  in  the  application  of  techniques 
developed  through  research  in  reliability  has  re- 
vealed gaps  in  the  technology  and  areas  in  which 
present  techniques  should  be  refined  or  the  tech- 
nology, extended.  These  deficiencies,  repre- 
senting needs  in  reliability  research,  are  enu- 
merated, and  priorities  are  suggested  for  some. 


Introduction 

In  the  past  decade,  much  effort  has  been 
expended  in  attempts  to  gain- -or  improve — 
reliability  in  military  weapon  systems.  The 
most  formally  organized  and  probably  the  most 
intensive  efforts  along  this  line  have  been  in  elec- 
tronics. I will  not  confine  my  remarks,  however, 
to  electronics  or  missiles  or  any  other  specific 
area;  I want  to  talk  about  weapon-system  relia- 
bility as  a whole. 

All  past  efforts  might  be  considered  as  fal- 
ling into  three  categories:  (1)  the  development  of 
new,  improved  parts  and  materials  designed  to 
be  used  in  extreme  environments  and  to  have 
longer  life;  (2)  the  development  of  techniques  for 
designing  reliability  into  the  end  product  and  for 
measuring  reliability  and  the  improvement  of 
engineering  practices;  and  (3)  the  application  of 
the  new  parts,  materials  and  techniques. 

Although  there  have  been  many  gratifying 
successes  in  the  effort  to  apply  new  developments, 
experience  has  proved  how  much  remains  to  be 
done;  we  have  only  scratched  the  surface.  Cer- 
tain techniques  must  be  refined;  there  are  definite 
gaps  in  the  technology;  and  there  are  areas  in 
which  the  technology  must  be  extended  to  cover 
more  extreme  situations.  These  deficiences 
represent  our  needs  in  reliability  research.  Im- 
portant as  they  immediately  appear,  these  ob- 
jectives gain  even  greater  significance  when  con- 
sidered in  the  light  of  requirements  for  advanced 
systems  now  being  planned-  -especially  those 
intended  for  space  operations . 


Categorized  in  the  two  major  areas  of  (1) 
systems  and  equipment  reliability  and  (2)  parts 
reliability,  here  are  some  of  the  unfilled  re- 
liability research  needs: 

Systems  and  Equipment  Reliability 

(1)  Refined  techniques  for  predicting 
reliability  of  electronic  systems 

(2)  Reliability-prediction  methods  for 
mechanical  systems 

(3)  Design  methods  to  ensure  specified 
life  for  mechanical  and  hydraulic 
parts 

(4)  Self-healing  design  techniques,  such 
as  redundancy;  self -organizing  or 
self -adapting  systems;  self-checking 
systems;  fail-safe  tehniques,  etc. 

(5)  Techniques  for  demonstrating  re- 
liability--especially  for  large,  com- 
plex systems  with  long  mean  time 
between  failures;  for  expendable  sys- 
tems with  a long  time  to  failure,  such 
as  satellites;  and  for  costly,  expend- 
able systems  with  a low  production 
base,  such  as  ballistic  missiles 

(6)  Accelerated  testing  techniques,  with 
acceleration  factors  correlated  to  the 
life  or  reliability  of  circuits,  assem- 
blies and  systems,  to  reduce  cost, 
sample  size  and  test  time  in  relia- 
bility-assurance testing 

Work  in  these  six  research  areas  is  in  addition 
to  basic  programs  such  as  the  following: 

(7)  A research  and  measurement  program 
aimed  at  gaining  a better  under- 
standing of  the  total  space  environ- 
ment and  determining  its  effects  on 
materials,  component  parts,  circuits 
and  assemblies 


57 


(8)  The  improvement  of  techniques  for 
isolating  component  parts  and  critical 
assemblies --possibly  entire  systems-- 
from  extreme  environmental  conditions 
imposed  by  temperature  cycling*  radi- 
ation and  acceleration 

(9)  The  development  of  techniques  for 
sealing  and  lubrication  in  high  vacuum 

(10)  The  expansion  of  efforts  to  develop 
parts  and  materials  optimized  for  the 
space  environment  and  with  extremely 
long  life  for  missions  of  extended 
duration 

(11)  Studies  of  the  human  factors  in  space 
operations 

Parts  Reliability 

In  the  area  of  research  on  parts  reliability* 
the  list  of  unsatisfied  needs  continues  as  follows: 

(1)  Research  into  failure  mechanisms  of 
electronic,  electrical*  electrome- 
chanical and  mechanical  parts*  with  a 
view  to  developing  analytical  descrip- 
tions of  parts  characteristics  and  life 
expectancy  as  a function  of  use  and 
environment 

(2)  Development  of  self-healing  parts 

(3)  Techniques  for  quantitative  prediction 
of  parts  reliability — in  contrast  to  pre- 
dictions based  on  the  results  of  mass 
testing;  techniques  for  predicting 
future  characteristics  and  life  based 
upon  (a)  physical  or  electrical  inspec- 
tion and  short-term  measurements 
and  (b)  analysis  of  the  physics  of 
materials 

(4)  Accelerated  testing  techniques*  with 
acceleration  factors  correlated  to  the 
parts r life  characteristics*  the  objec- 
tive being  to  reduce  cost*  sample  size 
and  test  time  in  reliability-assurance 
testing 

(5)  Practical,  economical  methods  of 
proving  compliance  with  requirements 
for  extremely  low  parts  failure  rates 
(such  as  0.  001  percent  per  1000  hours 
and  lower). 


(6)  Techniques  for  reliability -assurance 
testing  of  high-reliability  items  pro- 
cured in  small  lots 

Again*  these  six  research  needs  are  con- 
sidered as  supplementary  to  the  basic  programs 
for  developing  long-life  parts  and  materials  that 
are  suitable  for  the  anticipated  environments  in 
which  they  will  have  to  serve.  Here  let  me 
emphasise  that  the  job  is  not  confined  to  the  case 
of  extending  the  life  of  conventional  parts  that 
are  already  available;  It  includes  the  development 
of  new  parts  and  materials  such  as  those  that 
solid-state  electronics  may  offer. 


Analysis  of  Priority 

So  far,  in  my  attempt  to  identify  the 
principal  areas  in  which  research  is  needed*  I 
have  indicated  no  priority  ratings.  The  grouping 
was  based  on  the  two  categories  of  reliability 
research,  systems  and  parts.  Design-oriented 
items  were  listed  first*  followed  by  those  related 
to  the  measurement  or  demonstration  of  relia- 
bility. From  a management  standpoint*  these 
items  should  be  analyzed  with  respect  to  their 
relative  importance*  Priority  assignments  for 
individual  items,  however*  will  differ  from  one 
program  to  another*  depending  on  the  criteria 
established  in  each  for  determining  urgency. 

For  illustration: 

(1)  In  a long-range  program  aimed  at 
developing  systems  that  must  operate  over  ex- 
tremely long  periods  of  time,  high  priority  is 
given  to  work  on  long-life  components,  self- 
healing  design  techniques  and  the  determination 
of  failure  mechanisms. 

(2)  If  the  immediate  job  is  to  develop 
costly,  complex,  expendable  systems  for  an 
extended  mission  period  and  only  a few  are  to  be 
built  at  a time,  priority  goes  to  the  solution  of 
problems  involving  small-lots  reliability  assur- 
ance, reliability  demonstration,  refined  predic- 
tion and  other  techniques  for  analytical  design 
evaluation  and  self-healing  design, 

(3)  If  our  goal  is  to  speed  up  development 
and  cut  costs  but  retain  the  assurance  of  relia- 
bility, priority  fails  to  the  development  of  ac- 
celerated testing  techniques*  prediction  tech- 
niques and  the  shortest  and  most  economical 
methods  of  test  demonstration  and  reliability 
measurement  or  evaluation. 


?8 


(4)  When  the  basic  need  is  a formula  for 
specifying  reliability  in  contracts,  possibly 
associated  with  provisions  for  incentives  or 
penalties,  first  priority  would  be  assigned  to  the 
development  of  methods  by  which  reliability  can 
be  quantitatively  specified  and  measured. 

We  could  establish  still  other  sets  of  cri- 
teria, but  those  I have  mentioned  could  be 
matched  to  the  current  situation  in  our  missile 
and  space  projects.  In  summary,  we  would 
find  ourselves  facing  the  need  for  (1)  developing 
complex,  low -production,  long-miss  ion-time 
systems,  (2)  demonstrating  reliability  in  com- 
plex, expendable  systems  and  (3)  cutting  costs 
and  shortening  development  times  to  meet  early 
operational  dates. 

This  leads  me  to  suggest  that  the  following 
areas  should  be  given  high  priority: 

Predicting  and  demonstrating 
reliability 
Accelerated  testing 
Self-healing  design 
Assurance  of  reliability  in  small 
production  lots 

And  the  effort  in  these  technique  areas  is  to  be 
fully  supported  by  the  basic  programs  for 
developing  new  and  longer  lived  parts  and 
materials. 

Wot  everyone  will  agree  with  these  sug- 
gested priorities,  for  needs  vary  with  the  situa- 
tion. 

I ask  your  assistance  in  letting  us  know 
about  new  reliability  problems  that  are  revealed 
from  day  to  day.  For  our  part,  we  are  most 
interested  in  your  efforts,  especially  those  that 
culminate  in  whole  or  partial  solutions  on  which 
data  may  be  made  generally  available --to  the 
benefit  of  the  nation's  defense  program  as  well 
as  its  industry. 


Conclusion 

Our  weapon  technology  is  growing  at  a 
tremendous  rate,  and  there  are  unprecedented 
demands  for  performance  and  functional  capa- 
bility. Moreover,  in  contrast  to  former  reli- 
ability needs,  the  degree  of  reliability  now 
required  in  many  cases  for  successful  operation 
has  been  multiplied  by  a factor  of  10 — some- 
times as  high  as  100. 

The  very  nature  of  many  new  systems 
denies  us  the  use  of  such  established  procedures 
as  product  improvement  and  calls  for  a re- 
orientation of  our  design  philosophy  and  manage- 
ment. In  technical  as  well  as  management  areas, 
techniques  must  advance  in  order  to  stay  abreast 
of  mission  requirements  and,  at  the  same  time, 
cope  with  time  scales  and  allocated  budgets, 

The  successful  pursuit  of  the  research 
needs  enumerated  will  go  far  toward  gaining 
objectives  that  are  vital  to  our  national  defense. 

A considerable  part  of  this  work  is  now  in 
progress,  sponsored  by  both  industrial  and 
government  research  activities.  These  pro- 
grams must  be  compatible  and  complementary. 
Their  results  should  be  documented  and  pub- 
lished for  use  by  all  interested  agencies  of 
government  and  industry. 

Reliability  is  the  key  to  advanced  weapon 
technology  and  success  in  space  operations.  In 
our  defense,  in  our  economy  and  in  the  prestige 
we  enjoy  among  the  world's  nations,  it  is  of  the 
utmost  significance  that  our  systems  of  all  kinds 
function  dependably.  And  it  will  take  the  com- 
bined efforts  of  our  government  and  our  industry 
to  achieve  the  required  reliability. 


59 


THREE  LESSONS  FROM  THE  RELIABILITY  VERIFICATION  PROGRAM 


David  B.  Christian 

Light  Military  Electronics  Department 
General  Electric  Company 
Utica*  New  York 


Introduction 


This  paper  discusses  three  important 
lessons  that  resulted  from  a Reliability 
Verification  Program,  The  General  Elec- 
tric Company  builds  Radio  Guidance  Equip- 
ment for  the  Atlas  Missile  Program-  The 
Mod  III  A/B  equipment  is  one  of  the  air- 
borne guidance  systems  that  has  been  de- 
signed and  built  at  the  Light  Military 
Electronics  Department  to  be  used  with 
the  ground  system  built  by  the  Defense 
Systems  Department.  The  airborne  system 
consists  of  two  beacons  and  a decoder. 
Figures  1 and  2 show  the  equipment  set  up 
for  vibration  testing. 

The  system  operates  by  sending  signals 
to  the  ground  station.  These  signals  are 
interpreted  by  the  ground  system  and  a 
message  is  returned  containing  information 
for  missile-course  correction.  Such  a 
system  has  two  principal  advantages:  It 
is  precise.  It  is  highly  reliable. 

The  question  that  arose  in  1959  was* 

"How  reliable  is  this  system?"  "What  is 
the  probability  of  a successful  guided 
flight?11  The  minimum  acceptable  relia- 
bility for  such  a system  was  0.925  with 
95  percent  confidence.  From  this  require- 
ment*  the  Mod  III  A/B  Reliability  Verifi- 
cation Program  evolved. 

The  concept  of  a test  program  to  verify 
the  reliability  of  such  a system  was  not 
new.  To  design  the  program*  we  needed 
only  to  make  the  following  assumptions: 

1.  Assume  that  repeated  vibration 
cycling  of  the  equipment  will  not  reduce 
its  life  . 

2 . Assume  that  in  the  laboratory  you 
can  simulate  the  vibration  environment  of 
a missile  flight, 

3 . Assume  that  the  sample  used  is 
representative  of  the  population  of 
guidance  systems. 

On  the  basis  of  these  assumptions* the 
program  could  be  designed*  the  reliability 
of  the  system  could  be  date  mined*  and 
the  validity  of  the  assumptions  could  in 
turn,  be  verified.  The  method  decided 
upon  for  obtaining  failure  data  was  to 
test  six  systems  to  failure  under  simulated- 
flight  environmental  conditions  . If  the 
system  degrades  markedly  with  continued 
electronic  cycling,  or  vibration*  or  both, 
the  first  assumption  would  not  hold*  and 
the  contractor  could  be  penalized  severely. 
With  a sample  as  small  as  six*  it  is  ex- 
tremely difficult  to  demonstrate  with  a 


high  degree  of  statistical  confidence 
whether  the  failure  distribution  is  in- 
fluenced by  vibration  fatigue . 

The  stated  purpose  of  the  Mod  III  A/B 
Reliability  Verification  Program  was  to: 

1,  Estimate  the  reliability  of  the 
Mod  III  A/B  airborne  equipment  during  a 
countdown  and  flight  period, 

2,  Derive  Information  from  which  the 
reliability  could  be  further  improved . 

3,  Verify  the  feasibility  of  experi- 
mentally measuring  reliability. 

As  stated  earlier*  the  customer  wanted 
to  be  assured  that  the  reliability  of  the 
airborne  system  was  at  least  0.925  with 
95  percent  confidence.  The  Mod  III  B Re- 
liability Verification  Program  demonstrated: 

1,  With  95  percent  confidence*  equip- 
ment reliability  for  a countdown  and 
flight  period  is  no  less  than  0.994. 

2.  The  confidence  level  at  which  a 
0-925  probability  of  failure-free  operation 
may  be  Inferred  is  greater  than  99-95  per- 
cent . 

The  program  was  feasible.  The  relia- 
bility of  the  airborne  equipment  exceeded 
not  only  the  minimum  acceptable  reliability* 
but  also  the  design  objective  of  the  Mod 
III  A/B  Program. 

The  verification  program  was  con- 
current with  actual  flight  test  of  the 
Mod  III  A system.  Problem  areas  indicated 
by  the  verification  program  agreed  very 
well  with  those  brought  to  light  by  the 
ground  and  maintenance  tests  of  the  Mod 
III  A equipment  In  the  field.  This  corr- 
espondence added  confidence  in  the  pro- 
gram and  with  it  an  urgency  and  sense  of 
need  to  eliminate  the  problems  revealed , 

In  this  sense*  Information  was  obtained 
that  did  aid  in  improving  the  reliability 
of  the  guidance  equipment. 

This  paper  presents  three  significant 
lessons  learned  from  the  Mod  III  A/B  Re- 
liability Verification  Program.  It  dis- 
cusses the  significance  of  these  lessons 
and  how  they  have  affected  the  planning 
of  subsequent  evaluation.  It  goes  on  to 
discuss  in  a new  light  what  the  program 
has  added  to  our  knowledge  of  the  be- 
havior of  complex  electronic  systems. 

Briefly  stated*  the  lessons  are: 

1 . This  type  of  Reliability  Verlf ica- 


fiL 


tion  Program  can  and  should  be  a valid 
means  for  demonstrating  the  reliability  of 
a system. 

2.  There  are  relationships  between 
time,  cycling,  and  vibration. 

3 . The  time  required  to  perform  such 
a program  may  limit  its  value  * 

First  Lesson;  Validity  of  Test  Program 

The  test  program  was  feasible  and 
valid.  The  program  simulated  two  environ- 
ments: The  first  environment  was  that  of 

the  equipment  checkout  and  maintenance 
period , This  environment  is  comparable 
to  the  ground  environment  before  placement 
of  the  equipment  on  a missile  for  count- 
down and  launch*  The  second  environment 
is  that  of  missile  countdown*  launch*  and 
flight  operation. 

The  flight  vibration  requirements  were 
simulated  in  accordance  with  the  tele- 
metered data  received  from  Atlas  flights , 
Temperature  was  controlled  so  that  for 
each  simulated  flight  each  system  experi- 
enced flight- temperature  conditions. 

Table  I compared  the  failure  rates 
from  the  Verification  Program r s first  en- 
vironment with  the  actual  field  experience 
observed  with  General  Electric's  Mod  III 
A/B  equipment* 

TABLE  I 

Failure  Rate  Comparison 
FIELD 


Major  & 

Critical 

Failure 

955S 

Unit 

Rate 

Confidence  Bands 

Pulse  Beacon 

0.0032 

0.00184  - 

0.00483 

Rate  Beacon 

0.0023 

0.00144  - 

0.00382 

Decoder 

0.003^ 

0.00202  - 

0 .00502 

System 
System  Mean- 

0.0089 

0.0063  - 

0.0113 

Time  to 
Failure 

112.3 

VERIFICATION  PROGRAM 


Major  & 

Critical 

Failure  95$ 

Unit  Rate  Confidence  Bands 


Pulse  Beacon 

0.0044 

0.00123 

- 0.00985 

Rate  Beacon 

0.0023 

0.00028 

- 0.00636 

Decoder 

0.0045 

0.00122 

- 0.00979 

System 
System  Mean- 
Time  to 

0.0112 

0.0043 

- 0.0182 

Failure 

89.0 

There  exists  no  statistical  signifi- 
cant difference  between  the  rates  shown 
in  the  table.  From  this  we  conclude  that 


the  verification  program  successfully  sim- 
ulated the  field  environment . The  relia- 
bility statements  that  could  be  made  about 
flights,  assuming  an  exponential  failure 
distribution,  were  stated  earlier.  In 
actual  flights  of  Atlas  Missiles  guided 
by  General  Electric  Mod  III  A/b  equipment 
there  have  been  no  failures  of  the  air- 
borne equipment . This  record  is  consist- 
ent with  the  results  of  the  Reliability 
Verification  Program.  One  of  the  six  sys- 
tems used  "flew"  450  simulated  flights 
without  a failure. 

Armed  with  knowledge  of  the  validity 
of  the  Mod  III  A/B  Reliability  Verifica- 
tion Program,  and  faced  with  the  task  of 
evaluating  the  Mod  III  F/G  guidance,  range 
safety  and  tracking  systems,  we  set  about 
designing  a program  far  more  complex  and 
more  difficult  to  analyze  statistically. 

For  the  Mod  III  F/G  systems,  the  customer 
did  not  want  to  repeat  a Verification  Pro- 
gram. He  wanted  to  know  how  reliable  the 
systems  were  for  various  vibration  levels. 
This  information  was  needed  to  reflect  the 
multipurpose  use  of  the  Mod  III  F/G  equip- 
ments on  more  than  one  missile . Some  of 
the  levels  envisioned  with  this  new  test 
program  may  even  be  beyond  the  vibration 
design  specifications.  The  successful 
performance  of  the  earlier  Reliability 
Verification  Program  permitted  General 
Electric  to  accept  this  challenge. 

The  new  program  differs  from  the  Veri- 
fication Program  in  a number  of  respects. 
Instead  of  simulating  the  flights  of  six 
systems  at  one  vibration  level,  we  are 
simulating  the  flights  of  the  four  systems 
at  at  least  four  different  levels . A set 
of  decision  rules  have  been  set  down  to 
determine  the  characteristics  of  the  fail- 
ure distribution.  In  this  manner  as  soon 
as  the  failure  distribution  appears  as 
recognizable,  testing  can  be  halted.  By 
replacement  of  fatigued  components  and 
modules  or  both,  testing  can  be  resumed 
at  another  level . 

The  projected  cost  of  the  program 
seemed  excessive  at  first;  however,  in 
reviewing  the  experience  gained  from  the  ear- 
lier verification  program,  the  author  derided 
that  if  time  for  countdowns  were  eliminated 
and  flights  were  substituted,  the  number 
of  flights  could  be  more  than  tripled . By 
sacrificing  the  beauty  of  tight  confidence 
bands,  which  are  only  obtained  with  large 
samples,  a maximum  liklihood  estimate  that 
was  quite  reliable  could  be  obtained .Also, 
knowing  some  characteristics  of  vibration 
obtained  from  the  Verification  Program 
(discussed  further  on  In  this  paper), 
the  author  felt  he  should  be  able  to 
correlate  the  different  vibration  level 
effects  on  the  equipment . 

The  Mod  III  F/G  Vibration  Evaluation 
Program  is  still  in  progress.  One  stage 
is  complete . Four  hundred  successive 
failure -free  flights  have  been  simulated 


62 


at  a vibration  level  comparable  to  those 
levels  used  in  the  Mod  III  A/B  Program. 
This  result  is  as  good  as,  if  not  better 
than,  what  the  Verification  Program  dem- 
onstrated , 

Comparing  the  p re vibration  experience 
of  the  Mod  III  F/G  Vibration  Evaluation 
Program  with  the  data  obtained  from  com- 
parable field  experience  for  the  Mod  III 
F/G  equipment,  one  will  find  that  the  com- 
parison Is  about  the  same  as  that  for  the 
Mod  III  B Reliability  Verification  Pro- 
gram (Table  I) . Such  a performance 
pattern  should  be  expected. 

One  additional  comment  Is  appropriate . 
The  statistician  knowingly  sacrificed  the 
beauty  of  tight  confidence  bands  when 
planning  the  Mod  III  F/G  Program.  Origi- 
nally he  wanted  about  thirty  failures  for 
each  system  vibration  so  that  he  could 
estimate  the  failure -distribution  func- 
tion for  each  vibration  level  with  a re- 
spectable confidence.  This  requirement 
was  set  aside  by  transferring  the  empha- 
sis from  a confidence  level  to  a best  es- 
timate of  the  distribution  mean.  Generally 
speaking,  the  width  of  a probability  con- 
fidence region  Is  related  to  the  size  of 
the  sample.  The  larger  the  sample,  that 
Is,  the  more  flights  observed;  the  tighter 
will  be  the  confidence  band.  But  this 
tightening  of  the  confidence  band  will 
have  very  little  effect  on  the  estimation 
of  the  distribution  parameters  unless 
there  exists  a bias  that  is  Inversely  re- 
lated to  the  sample  size.  Thus,  by  de- 
emphasising  confidence  statement,  and  by 
concentrating  on  estimation  of  the  maxi- 
mum likelihood  estimators  of  the  dis- 
tribution parameters,  it  Is  possible  to 
reduce  the  sample  size  considerably. 

Table  II  Illustrates  this  point. 

TABLE  II 

Comparison  of  Failure -Free 
Flights  Required  at  Two  Levels  of 
Reliability 


bration,  was  debated  at  some  length  during 
the  Sixth  Military -Indus try  Missile  Re- 
liability Symposium  at  Fort  Bliss  In  I960. 
The  simplest  presentation  of  the  issue  of 
this  controversy  Is,  "Does  vibration  test- 
ing eliminate  failures  or  does  It  cause 
them? 11 

One  of  the  principal  proponents  for 
PET  was  Robert  L.  Stallard.*  The  ration- 
ale for  PET  Is  based  on  the  fact  that  with 
compressed  time  schedules  in  complex 
missile  systems,  it  becomes  impossible  to 
go  through  the  ideal  eight  steps  of  pro- 
duction: 

11 1.  Definition  of  the  requirements. 

"2.  Production  and  test  of  the  bread- 
board models. 

Tl3 . Production  of  a prototype,  which 
is  subjected  to  environmental  tests. 

T,4.  Redesign  of  the  component,  as  dic- 
tated by  the  results  of  the  prototype 
tests , 

”5*  Production  of  several  prototypes 
with  production  tooling  and  production 
techniques , 

"6.  Full  scale  qualification  testing 
of  all  these  prototypes  produced  by  pro- 
duction methods. 

"7*  Redesign  and  retest  of  the  pro- 
duction prototypes,  as  necessary. 

”8.  Final  production.” 

Essentially  PET  replaces  the  above 
steps  with  production  hardware.  Stallard 
stated  the  following  levels  (Table  III) 
that  his  company  used  for  PET  tests  . 

TABLE  III 

PET  Levels  for  Vibration  Testing 

Percent  Percent  of  Design 

Components Specifications 

70  100 

7 50  - 100 

23  Below  50 


R = 0.925 


R = 0.985 


Lower 
Bound 
% Con- 
fidence 

Failure- 

Free 

Flights 

Required 

Lower 
Bound 
% Con- 
fidence 

Failure - 
Free 
Flights 
Required 

95 

40 

95 

200 

90 

31 

90 

155 

80 

22 

80 

110 

TO 

16 

70 

90 

50 

10 

50 

50 

Second  Lesson  - Relation  Between 
Time , Vibration,  and  Cycling 

The  debate  between  Production  Environ- 
mental Testing  (PET)  exponents  and  dis- 
senters has  been  going  on  for  a number  of 
years , PET,  principally  in  terms  of  vl- 


Stallard  does  not  feel  that  the  PET 
programs  shortens  the  life  of  the  equip- 
ment . He  has  calculated  that  the  maximum 
amount  of  design  life  consumed  by  PET  for 
any  component  to  be  4 percent.* 

G.  A.  Henderson,  In  his  paper,  "The 
Fallacy  of  PET  as  a Quality  Control  Tech- 
nique,” presented  at  this  symposium  along 
with  Stallard" s,  gave  a well  documented 
argument  in  opposition  to  the  PET  concept. 
He  quoted  extensively  from  Dr.  W.  R. 

Pabst's  paper,  "Statistical  Planning  for 
Ordnance  Proof  Testing."  This  paper 

* Stallard,  R . L . , r,The  Value  of  F.E.T.  As 
A Quality  Control  Function"  Sixth  Military- 
Industry  Missile  Reliability  Symposium, 

Fort  Bliss  i960.  Volume  I,  Pages  303-324 


63 


argued  that  successful  completion  of  a 
test  run  was  in  no  way  a guarantee  that 
a torpedo  would  he  more  reliable*  An  ex- 
periment was  devised  utilizing  two  groups 
of  five  torpedos:  Group  A*  which  had 
passed  a water  run;  and  Group  B which  had 
not  been  water  tested.  Both  groups  were 
then  water  tested.  The  statistical  anal- 
ysis indicated  that  there  was  no  signifi- 
cant difference  between  the  two  groups . 

In  fact,  the  untested  group  empirically 
performed  better*  although  the  differ- 
ence was  not  statistically  significant. 

Such  an  experience  is  not  unique . Similar 
results  have  been  obtained  from  other 
programs . 

Henderson*  referring  to  a guided 
missile  program  utilizing  100  percent  vi- 
bration testing  said: 

11  . . . the  contractor  lists  the  follow- 
ing items  as  the  kind  of  failures  or  de- 
fects he  is  finding:  loose  nuts  and  bolts; 
cold  solder  joints;  insulation  wearing 
through  from  rubbing*  broken  capacitor 
leads;  capacitor  shorting;  microphonics 
on  trimpots;  microphonic  transistors;  in- 
termittent relays;  broken  wires;  broken 
mountings;  cracked:  transistors;  loose  con- 
tacts; microsyn  gear  retainer  failures; 
poor  mechanical  fit  and  looseness;  defec- 
tive pot  wipers;  snap-ring  failures.” 

The  contractor  concluded  that  these  de- 
fects '‘would  not  have  been  discovered 
during  normal  manufacturing  inspection.” 

He  also  made  the  ” rediscovery”  that  "Man- 
ufacturing failures  appeared  to  be  com- 
pletely random.” 

"I  think  we  can  assume  safely*” Henderson 
continued*  "that  if  the  contractor  states 
that  these  failures  and  defects  would  not 
have  been  discovered  during  normal  manu- 
facturing inspection*  either  his  normal 
inspection  is  no  good*  or  else  these  de- 
fects were  not  present  at  the  time  of 
inspection*  and  were  therefore*  the  di- 
rect result  of  the  PET." 

This  writer  was  familiar  with  a 
missile  program  in  which  he  demonstrated 
that  the  failure  rate  under  vibration 
tests  was  the  same  as  with  tests  not 
using  vibration*  and  that  this  failure 
rate  was  essentially  constant.  The  vi- 
bration testing  as  performed  did  not 
cause  any  increase  or  decrease  in  failures . 

Over  the  years  I have  observed  many 
failures  such  as  unsoldered  joints*  broken 
welds  in  potted  assemblies*  that  are 
supposedly  vibration  failures  but  that 
have  been  detected*  not  during  vibration* 
but  at  some  later  time  . The  incidence  of 
this  type  of  failure*  although  not  very 
high*  is  significant  merely  in  the  fact 
that  it  exists. 

During  the  1300  flights  of  the  Mod 
III  B Reliability  Verification  Program* 
four  failures  were  observed.  These  fail- 
ures were  of  klystrons*  magnetrons*  and 
thyratrons . These  components  have  been 


considered  by  some  as  possessing  a limited 
life.  Cycling*  time*  vibration*  or  com- 
bination of  these  variables*  could  have 
been  responsible  for  these  failures. 

Figure  3 shows  a plot  on  Weibull  prob- 
ability paper  of  the  four  failures  ob- 
served during  the  simulated  flights. 

Notice  how  well  the  Weibull  distribution 
fits  the  data  in  comparison  with  the  ex- 
ponential distribution.  The  Weibull  dis- 
tribution indicates  that  time*  cycles*  or 
vibration  did  affect  the  life  of  the  sys- 
tem . 

It  is  interesting  to  compare  the 
earlier  statement  made  about  the  relia- 
bility of  the  Mod  III  B equipment  with 
the  statement  that  would  be  made  with 
this  best  estimate  of  a Weibull  fit . 

1.  Assuming  an  exponential  distribu- 
tion: With  95  percent  confidence*  equip- 
ment reliability  for  a countdown  and 
flight  period  is  no  less  than  0.99^* 

2.  Assuming  the  Weibull  distribution: 
With  95  percent  confidence*  equipment  re- 
liability for  a countdown  and  flight 
period  is  no  less  than  0.999* 

The  second  statement  implies  that  re- 
peated cycling*  time*  or  vibration  does 
have  an  effect  on  reliability.  The  re- 
liability on  a single  flight  would  be 
higher  under  a Weibull  assumption  than 
under  the  exponential  assumption.  Figure 
4 shows  the  relationship  of  the  cumulative 
conditional  distribution  functions  of  the 
two  distributions . This  shows  the  ex- 
pected number  of  failures  that  one  would 
observe  from  time  zero  to  time  t. 

The  Mod  III  B Verification  Program 
was  not  designed  to  separate  the  effects 
of  vibration*  cycles*  and  time.  Upon 
completion  of  the  flight  portion  of  this 
program*  a life  test  was  partially  per- 
formed on  two  systems . The  equipment  was 
subjected  to  few  on/off  cycles  and  to  no 
vibration.  The  result  of  this  incompleted 
test  indicated  that  with  steady  operation 
the  equipments  operated  for  3600  hours 
with  a MTBF  of  350  hours  as  opposed  to 
100  hours  for  the  flight  period . 

These  results  still  do  not  reveal  the 
relation  between  time*  vibration*  and 
cycling.  We  have  to  look  to  our  Mod  III 
F/G  Vibration  Evaluation  Program  and  to  an 
additional  experiment . The  Vibration 
Evaluation  Program  as  it  stands  today  is 
inconclusive . It  would  appear  that  vibra- 
tion levels  do  have  an  effect.  One  system 
completed  400  cycles  at  low-level  vibra- 
tion without  a failure . Another  system* 
at  a level  three  times  as  high*  had  a 
failure  after  92  cycles . The  evaluation 
program*  however*  is  designed  so  that  upon 
completion  we  should  be  able  to  give  a 
better  answer  to  the  question  of  the  effect 
of  vibration. 

The  other  important  experiment  is  the 
life  test  that  we  have  been  performing  on 
the  Mod  III  F/G  klystrons.  In  this  test* 


the  klystrons  are  cycled  once  every  hour 
of  the  day  In  a manner  that  simulates  the 
normal  test  for  the  beacon.  Each  cycle 
reproduces  the  temperature  and  signal 
pattern  that  would  be  observed  during  a 
normal  beacon  test.  The  results  of  the 
test  to  date  are  shown  in  Table  IV.  The 
principal  difference  between  the  two  kly- 
strons is  the  power  mode.  The  MIS TRAM 
klystron  should  have  a longer  life  than 
the  Mod  III  P/a  klystron. 

TABLE  IV 

Klystron  Life-Test  Results 


hours 

Mod  III  F/G 

1 

1300 

failed 

Klystron 

2 

1453 

failed 

3 

1613 

4 

1602* 

MISTRAM 

1 

1876 

Klystron 

2 

1876 

3 

1876 

4 

1870 

The  life  expectancy  of  the  klystron 
is  quite  a bit  more  than  had  been  ex- 
pected. It  was  generally  believed  that 
a klystron  after  one  hundred  hours  was  a 
reliability  risk.  Very  little  change  in 
the  operating  characteristics  of  the  kly- 
stron has  been  observed  during  this  life 
test.  Although  these  klystrons  are  not 
the  same  as  those  of  the  Mod  III  B*  they 
are  comparable  to  the  units  used  in  the 
Mod  III  F/G  Vibration  Evaluation.  If  the 
performance  under  vibration  is  not  the 
same  as  the  static  performance,,  the  in- 
fluence of  the  vibration  environment  on 
life  will  have  been  demonstrated  more 
definitely  than  In  the  past. 

An  interesting  observation  about  the 
two  failed  klystrons  is  that  both  show  a 
general  over-all  deterioration  of  the 
cathode . Those  that  have  failed  in  the 
field  because  of  deterioration  of  the 
cathode * which  would  be  considered  normal 
end  of  life*  have  deteriorated  only  in  a 
localized  spot  near  the  center. 

The  results  of  the  Mod  III  B Relia- 
bility Verification  Program*  the  Mod  III 
F/G  Vibration  Evaluation  Program*  and  the 
Klystron  Life  Test  to  date  tend  to  support 
the  thesis  that  vibration  does  have  an 
effect  on  the  life  of  electronic  equip- 
ment. The  next  question  to  ask  is*  "How 
much?"  The  Verification  Program  was  per- 
formed at  operational  flight  vibration 
levels.  Vibration  testing  at  these  levels* 
within  reason*  may  have  only  a minor 
effect  on  the  life  of  the  equipment . 

When  completed,  the  Mod  III  F/G  Vlbra- 
tion  Evaluation  Program  will  tell  us  more 


* Retune  klystron  after  35  hours. 


about  the  influence  of  vibration  levels 
on  the  life  of  the  airborne  equipment . 

At  this  point  it  can  be  said  that 
repeated  vibration  at  high  levels  will 
affect  the  reliability  of  a system.  Thus* 
if  a system  was  vibrated*  failed  and  then 
vibrated  again  at  a high  level*  its  re- 
liability could  be  affected  adversely  by 
fatigue . One  way  to  avoid  such  fatigue 
would  be  by  designing  the  equipment  with 
a greater  safety  margin.  Another  method 
to  avoid  fatigue  would  be  to  shorten  the 
vibration- test  time . A vibration  expert 
told  this  writer  that  a one-minute  random 
vibration  is  all  that  is  required  to  ex- 
cite all  possible  resonances  in  the  fre- 
quency spectrum  under  test . All  vibration 
beyond  that  point  only  fatigues  the  unit . 

The  Mod  III  B Reliability  Verification 
Program  has  indicated  that  vibration  at 
the  simulated  flight  levels  had  a slight 
effect  on  the  life  of  the  equipment.  Vi- 
bration at  some  higher  level  would  prob- 
ably have  introduced  more  fatigue . This 
has  been  apparent  with  the  Mod  III  F/G 
Vibration  Evaluation  Program. 

This  writer’s  personal  position  in 
the  controversy  surrounding  PET  is  that 
it  is  not  a panacea  for  detecting  loose 
bolts  and  nuts*  cold  solder  Joints*  and 
so  on.  After  vibration  tests*  these  de- 
fects do  appear.  If  the  vibration  test 
is  not  effective*  one  would  expect  to  ob- 
serve these  failures  with  about  the  same 
frequency  as  before . If  the  test  is 
effective  these  failures  should  not  exist. 
This  presupposes  that  the  failures  are  not 
due  to  fatigue  but  that  marginal  condi- 
tions are  being  detected.  What  is  re- 
quired then  is  an  effective  short  vibra- 
tion test.  The  problem  usually  Is  that 
the  length  of  a vibration  test  is  deter- 
mined by  the  time  required  for  electrical 
performance  test*  and  not  by  the  require- 
ments for  an  effective  vibration  test.  If 
the  vibration- test  time  is  not  determined 
by  electrical-test  time*  it  is  usually 
determined  by  custom;  actual  requirements 
are  not  taken  into  account*  or  more  seri- 
ously* are  not  even  known. 

If  we  approached  our  designs  with  the 
same  conservative  safety  approach  as  a 
bridge  designer*  we  would  not  have  to  be 
concerned  as  much  with  the  degrading 
effect  of  vibration.  It  is  unfortunate 
that  in  our  missile -space  age  definite 
tradeoffs  ■ of  size  and  weight*  and  thus 
safety*  must  be  made. 

Strictly  speaking*  I would  like  to  be 
completely  on  Henderson’s  side  because  I 
feel  that  PET  is  being  used  to  detect  our 
human  failings  and  carelessness . I also 
feel  that  time  spent  on  proper  evaluations 
of  design  and  manufacturing  processes 
would  be  more  effective  in  producing  re- 
liable equipment  than  time  spent  on  PET 
inspections . The  answer  is  not  PET  or 
no  PET.  It  is  the  rational  development 


65 


of  design,  manufacture,  and  test  equipment. 
If  we  are  to  use  PET  to  detect  our  human 
failings,  we  are  not  treating  the  cause  of 
our  illness . Fund amen tail 7,  workers  want 
to  do  a good  Job  and  take  pride  in  their 
work.  But  if  they  work  from  chaos  and 
panic,  change  one  thing  after  another  be- 
cause of  our  engineers'  errors,  are  rushed 
by  foremen  so  that  they  meet  schedules, 
their  morale,  and  with  it  the  quality  of 
their  product,  will  slip.  If  our  de- 
signers must  rush  a design  into  production 
because  of  contract  requirements,  the  de- 
sign will  soon  have  to  be  changed  and  the 
chain  reaction  leading  to  poor  quality 
will  be  started* 

The  Little  Prince  upon  visiting  the 
earth  and  our  cities  wisely  observed:  "Men 
set  out  on  their  way  in  express  trains, 
but  they  do  not  know  what  they  are  look- 
ing for.  Then  they  rush  about,  and  get 
excited,  and  turn  round  and  round..." 
(Antoine  deSaint  Exupery,  The  Little 
Prince,  Reynal  and  Hitchcock,  New  York) 

perhaps  our  chain  events  are  described 
by  the  meeting  of  the  Little  Prince  and 
the  tippler. 

"What  are  you  doing  there?" , He  said 

"I  am  drinking"  replied  the  tippler 

"Why  are  you  drinking?11 

"So  that  I may  forget.11 

"Forget  what?" 

"Forget  that  I am  ashamed." 

"Ashamed  of  what?" 

"Ashamed  of  drinking.11 

Third  Lesson:  Time 

The  Mod  III  B Reliability  Verification 
Program  was  useful  because: 

1.  It  attained  its  objective:  verifi- 
cation  of  the  reliability  of  the  Mod  III 
A/B  airborne  system, 

2.  It  yielded  valuable  Information  on 
the  distribution  of  failure. 

3 . It  pointed  out  design  and  component 
weaknesses,  either  independently  or  in 
conjunction  with  the  field  experience  of 
the  Mod  III  A/B  equipment . 

4.  It  gave  us  an  engineering  "confi- 
dence11 In  the  validity  of  our  testing 
procedures . Not  only  with  the  proced^lres 
of  the  test  program,  but  more  important, 
with  those  used  for  production  and  for 
field  testing.  The  test-program  results 
were  also  Instrumental  In  making  two 
changes  In  the  manufacturing  and  inspee- 
tion  procedures. 

5.  It  facilitated  a rapid  formulation 

of  new  evaluation  methods  utilizing  the 
knowledge  attained. 

But  all  of  this  Is  not  enough . The 

timing  and  time  scale  of  the  program  was 

such  that  a major  part  of  its  potential 

value  was  lost.  There  is  a need  to  have 
known  yesterday  what  we  hope  to  learn 

tomorrow . The  time  to  perform  such  a 
program  is  often  too  great.  The  time  to 
negotiate  such  a program  is  often  too  great , 

66 


The  time  to  analyze  the  results  and  make 
the  answers  known  Is  often  too  great , 

Time  Is  involved  because  evaluation 
programs  cost  money.  This  writer  as  a 
statistician  who  has  taken  an  active  part 
in  planning  many  evaluation  programs  is 
well  aware  of  the  time  problem.  He  is 
aware  of  the  necessity  of  having  a meeting 
of  the  minds  so  that  there  is  a complete 
understanding  among  all  parties.  Each  pro- 
gram that  I have  been  Involved  in  proved 
valuable . But  in  each  case  time  has  de- 
tracted from  the  value  of  the  outcome. 

There  Is  too  much  that  is  unknown  in 
our  Industry  today  to  permit  our  running 
around  without  a purposeful  plan.  Each  new 
evaluation  must  not  be  just  a repeat  of 
something  that  has  been  done  before,  but 
one  that  is  designed  to  yield  new  Infor- 
mation in  an  orderly  fashion*  It  is 
essential  that  each  plan  be  carefully  laid 
and  utilize  all  the  knowledge  available . 

It  would  be  convenient  If  we  could  or- 
ganize one  grand  and  glorious  program  to 
tell  us  all.  This  Is  not  possible.  We 
must  think  Instead  of  an  over-all  concept, 
and  fit  into  this  concept  test  programs 
as  parts  of  the  fulfillment  of  that  con- 
cept . The  problem  of  PET  or  nonPET  is 
not  what  we  need  to  resolve.  We  need  to 
know  that  we  have  developed  the  criteria 
required  to  assure  that  we  have  a reliable 
product.  This  problem  doesn't  involve 
only  testing.  It  involves  manufacturing. 

It  involves  design. 

" . . .Failure  data  indicates  that  the 
principal  reasons  for  failure  are 
human.  The  largest  single  source  of 
unreliability  is  workmanship.  The 
second  largest  source  is  design  and  man- 
ufacturing engineering , These  two 
sources  combined  are  responsible  for 
70  percent  to  90  percent  of  the  fail- 
ures reported.  Both  sources  could  be 
called  workmanship.  The  first  is  work- 
manship of  the  hand  and  the  mind.  The 
second  Is  workmanship  of  the  mind  and 
the  hand.  They  both  exist  because  of 
the  attitudes  of  human  beings."* 

The  proponents  of  PET  are.  In  effect, 
admitting  that  they  require  such  tech- 
niques because  they  have  poor  assurance 
of  the  manufacturing  and  design. 

The  opponents  of  PET  insist  that, 
"Contractors  determine  appropriate  environ- 
mental conditions,  test  to  failure  ade- 
quate samples  of  R&D  (and  later  production) 
hardware  in  these  environments,  and  dem- 
onstrate the  existence  of  adequate  safety 
margins."** 

*Chris tian/D . B . ,* 1 2 3 4 5 * * * * *  1 1 Human  Attitudes  and  Re- 
liability, "1959  Northeast  Electronics  Re- 
search and  Engineering  Meeting 

**Henderson,  George  A,,"The  Fallacy  of  PET 
As  a Quality  Control  Technique,"  Sixth 
Joint  Military- Indus try  Guided  Missile  Re- 
liability Symposium,  I960 


This  writer  is  of  the  opinion  that 
the  evaluation  must  be  performed  early  in 
the  program.  In  the  words  of  Alexander 
Mood,  "The  heart  of  a reliability  program 
for  a complex  mechanism  is  early  detection 
of  design  weaknesses  by  the  performance 
and  analysis  of  environmental  test  experi- 
ments on  prototype  or  pilot  models  of 
major  parts  of  the  mechanism.  Such  a pro- 
gram must  be  carried  out  jointly  by  de- 
sign engineers,  experts  in  environmental 
testing  and  statisticians  thoroughly 
versed  in  the  practice  of  experimental  de- 
sign; it  must  be  completed  before  the  on- 
set of  the  scheduled  production."* 

It  has  been  shown  over  and  over  that 
the  problems  observed  in  most  evaluation 
programs  are  the  same  ones  observed  dur- 
ing production.  Three  years  ago  I said, 

11  If  design  and  environmental  testing  are 
not  performed  in  the  early  prototype  phase 
of  a program,  the  design  problems  will 
confront  production  personnel  throughout 
the  program.  Temporary  fixes  or  living 
with  the  problems  will  not  solve  them.  We 
cannot  close  our  eyes  and  hope  for  design 
faults  to  silently  fade  away,11** 

Time  appears  as  the  critical  parameter 
because  of  the  acceleration  of  our  complex 
missile  programs , I am  familiar  with  one 
program  in  which  statistical  evaluation 
was  utilized  In  the  design  phase.  This 
evaluation  did  pay  off. 

Time  has  been  used  in  that  we  have.  In 
the  Mod  III  F/G  Vibration  Evaluation  Pro- 
gram, made  use  of  what  was  learned  from 
the  Verification  Program.  But  to  be  more 
effective  we  must  reduce  the  time  delays , 
The  planners  must  be  completely  aware, not 
only  of  what  their  objectives  are,  but  of 
what  has  been  done  In  the  field  and  of 
what  the  major  questions  that  exist  are. 
And  they  must  plan  so  that  we  can  get 
closer  to  the  answers , It  is  then  their 
responsibility  to  make  known  their  re- 
sults whether  success  or  failure. 

Every  system-evaluation  program  that 
I have  been  related  to  or  have  observed 
has  shown  definite  characteristics . The 
failures  that  exist  are  similar  to  the 
ones  that  will  or  have  plagued  you  In  pro- 
duction, They  all  stem  from  the  same  be- 
havior pattern.  It  Is  essential  to  de- 
termine this  pattern  In  a new  equipment 
program  as  early  as  possible.  What  Mood 
said  above  is  true . If  we  are  to  get  off 
our  merry-go-round,  our  evaluations  must 
exist  and  must  start  as  soon  as  possible. 
Their  scope  must  be  determined,  not  by 
custom,  blindness,  or  naive  planning,  but 
by  intelligence,  ingenuity,  and  daring. 


* Northeast  Electronics  Research  and  En- 
gineering Meeting,  (Mood  see  footnote  as 
quoted  by  D.  B-  Christian) 

**  Ibid 


67 


n 


THE  SUCCESSFUL  APPLICATION  OF  A REPEATED  TEST-TO-FAILURE  PROGRAM 
ON  SERGEANT  MISSILE  ASSEMBLIES 


The  purpose  of  this  paper  is  to  present  the 
Sperry  Utah  Company  test  philosophy  and  the  re- 
sults of  a reliability  test  program,  which  led  to 
the  achievement  of  many  of  the  reliability  goals 
of  the  Sergeant  System* 

The  tests  discussed  are  the  results  of  the 
practical  application  of  a test-to-f allure  pro- 
gram based  upon  Latin  square  and  regression 
analysis  models#  The  statistical  theory  was  pre- 
sented in  a Sperry  Utah  paper  by  Dave  White  at 
the  Sixth  Joint  Military-Industry  Guided  Missile 
Reliability  Symposium  at  El  Paso  in  1960*^ 


tion.  This  test  program  was  designed  and  put 
into  effect  to  assess  the  capabilities  of  the 
Engineering  Model  to  meet  its  expected  environ- 
ment, including  allowance  for  variations  in 
.environmental  extremes®  The  program  included  re* 
liability  tests  as  well  as  type  approval  envi- 
ronmental tests®  The  Sperry  Utah  approach  to 
reliability  testing  utilizes  a repeated  test-to- 
failure  model  to  verify  quantitatively  the 
ability  to  the  system  to  satisfy  the  number  one 
military  characteristic,  reliability*  The  type 
approval  tests  determine  assembly  design  limita- 
tions# 


Early  in  the  R & D program  the  reliability 
efforts  were  directed  primarily  to  component 
evaluation*  As  the  R & D program  progressed  and 
production  hardware  became  available  the  emphasis 
was  placed  on  assembly  and  subassembly  evalua- 


The test  program  is  discussed  in  three 
parts,  Part  I discusses  the  testing  aspects 
whereas  Part  II  discusses  the  mathematical  anal- 
ysis aspects,  and  Part  III  discusses  the  con- 
clusion and  recommendation* 


PART  I*  THE  DESIGN,  APPLICATION,  AND  RESULTS  OF  THE  COMBINED  OPERATING  TEMPERATURE  e 
VIBRATION  TEST  FOR  MISSILE  ASSEMBLIES  RELIABILITY 

Richard  H*  Brashear  Jr*,  Principal  Engineer 
Sperry  Utah  Company 
Salt  Lake  City,  Utah 


Sperry  Utah*s  reliability  test  program  in- 
corporates repeated  tests-to-failure  in  addition 
to  the  type-approval  tests*  Sperry  Utah  defines 
type-approval  tests  as  being  environmental  tests 
to  a specified  level  whereas  reliability  tests 
extend  to  several  environmental  levels  and  in- 
volve sample  sizes  large  enough  to  ensure  statis- 
tical confidence*  Type  approval  tests  are  con- 
ducted for  non-cumulative  types  of  environments 
with  respect  to  reliability  degradation*  Non- 
cumulative  environments  ar(e  defined  as  those 
which  occur  in  the  normal  course  of  use  and  which 
can  be  offset  by  proper  design,  i*e*,  transporta- 
tion and  operation  altitude,  sand  and  dust,  salt 
spray,  rain,  storage,  temperature,  humidity, 
fungus,  and  static  acceleration*  Repeated  tests- 
to  failure  are  conducted  for  environments  con- 
sidered to  be  cumulative,  i*e®,  those  attendant 
on  normal  use  and  which  result  in  wearout  or 
aging  of  the  equipment*  Examples  of  cumulative 
environments  are  transportation  vibrations,  shock 
due  to  bench  handling  and  drops,  hot  and  cold 
operating  temperature,  and  operating  vibration* 

Test  Program 

The  repeated  test-to-failure  program  was  de- 
signed to  facilitiate  from  a minimum  sample  size 
a statistical  analysis  of  mean-life  data  to  pro- 
duce such  flight  reliability  parameters  as  90- 
percent  confidence  limits,  maximum  safe  operating 


level  (MSOL),  and  average  strength*  Consequent- 
ly, a simulated  flight  environment  consisting  of 
ambient  temperature  and  random  vibration  was  im- 
posed concurrently  upon  each  of  three  test  sam- 
ples* Each  missile  assembly  type  was  tested  at 
three  different  vibration  levels  and  in  three 
mutually  perpendicular  vibration  planes* 

The  general  plan  was  to  test  each  of  the 
three  test  assemblies  until  six  failures  were 
observed  on  each  assembly  (a  total  of  two  fail- 
ures per  test  level)  or  until  each  assembly  was 
subjected  to  90  minutes  of  vibration*  (10 
minutes  per  plane  for  each  of  three  discrete 
vibration  levels )c  The  sequence  of  planes, 
stress  levels,  and  test  environments  is  discuss- 
ed below* 

Table  I-l  shows  a typical  Latin  square  de- 
sign used  with  each  type  of  assembly*  The  three 
vibration  tape  levels,  V^,  V2,  and  V3,  are 
applied  to  the  three  assemblies  in  the  order  in- 
dicated in  the  table*  During  the  test,  the 
assemblies  are  operating  and  their  performances 
are  monitored*  If  a failure  occurs,  a repair  is 
effected  and  the  test  resumed*  In  practice, 
three  test  patterns  occurred?  two  failures;  one 
failure  and  survival  to  the  time  limit;  and  no 
failure  and  survival  to  the  time  limit*  The  XYZ 
notation  under  V]^  denotes  the  vibration  plane 
(corresponding  to  the  missile  roll,  yaw,  and 


69 


pitch  axes)  ordering  for  the  application  of 
vibration*  For  example , assembly  No,  1 at  the 
level  was  vibrated  for  10  minutes  in  the  X plane, 
10  minutes  in  the  Y plane,  and  10  minutes  in  the 
Z plane*  provided  no  failures  occurred* 


Table  1-1 

Latin  Square  Test  Design 


Assembly  No* 

Vibration 

Level 

Temperature 

1 

vi 

V2 

V3 

Ti 

XYZ 

YZX 

ZXY 

2 

V2 

V3 

V1 

Ti 

ZXY 

XYZ 

YZX 

3 

V3 

V1 

v2 

Tl 

YZX 

ZXY 

XYZ 

The  procedure  for  assemblies  Nos.  2 and  3 is 
essentially  the  same  except  that  the  order  of  vi- 
bration differs*  The  test  levels  are  proportional 
to  the  flight  levels  specified  for  each  missile 
assembly* 

Program  limitations  for  the  Sergeant  dic- 
tated testing  at  one  temperature  level  only,  T^, 
therefore,  the  temperature  level  selected  was 
biased  high  to  ensure  a conservative  reliability 
estimate* 

One  advantage  of  the  Latin  square  design 
selected  is  that  wearout  effects  in  the  equip- 
ment can  be  isolated.  Significantly,  the  test 
results  indicated  that  equipment  wearout  was 
negligible  for  Sergeant  missile  assemblies* 

Tes^  Envirorynerytr 

The  selection  of  critical  temperature  and 
vibration  test  levels  was  based  on  a studv  of  the 
prescribed  Military  Characteristics  (MC’s),  field 
operation  tests,  and  an  analysis  of  R & D missile 
firings  of  the  Sergeant*  This  evaluation  showed 
that  the  critical  missile  temperature  environment 
resulted  from  desert  conditions  encountered  dur- 
ing checkout  and  countdown.  Consequently,  during 
an  actual  flight  missile  cooling  rather  than 
heating  occurred* 

The  assembly  ambient  temperature  was  deter- 
mined from  controlled  environmental  tests  made  on 
the  Sergeant  at  Jet  Propulsion  Laboratory  and  at 
Sperry  Utah*  During  the  tests  the  missile  was 
subjected  to  the  high  temperature  MC  requirement 
of  125j?F  ambient  plus  solar  radiation  of  360 
BTU/ft2/hr  for  4 hours  a day  with  the  assemblies 
instrumented  for  recording  temperatures* 


Table  1-2  shows  the  temperatures  both  re- 
corded and  selected  for  the  reliability  test. 


Table  1-2 


Missile  Assembly 

Ambient 

Temperature 

From 

Tests  ( F) 

Reliability 

Test 

Temperature 

Guidance  Platform 

137 

145 

Control  Assembly 

131 

140 

Guidance  Computer 

134 

145 

Arming  Computer 

130 

140 

Arming  Platform 

130 

140 

Frequency  Regulator 

151 

160 

Mo  t o r-Gene  r a tor 

156 

165 

Control  Surface 
Actuator 

180 

180 

Antenna  Assembly 

180 

180 

Interconnecting  Box 

180 

180 

Cable  Assembly 

180 

180 

The  most  severe  actual  vibration  environment 
of  the  missile  in  flight  results  from  the  drag- 
brakes  being  extended  into  the  air  stream.  For 
some  assemblies  this  vibration  is  quite  severe* 
Formerly,  the  mean  extreme  vibration  environment 
of  the  missile  was  defined  by  the  random  vibra- 
tion (noise)  as  measured  at  the  Standard  location 
{a  monitoring  point  located  on  the  primary 
structure  at  the  root  of  the  dragbrake).  How- 
ever, each  missile  assembly  experiences  different 
vibration  inputs  during  flight  caused  by  differ- 
ences in  mounting  and  local  resonance  of  the 
guidance  section  structure*  Thus  it  was  apparent 
that  use  of  a standard  tape  was  imposing  un- 
necessary design  restrictions  on  some  assemblies 
as  well  as  biasing  reliability  estimates  too  Con- 
servatively, As  a result,  Sperry  Utah  instituted 
a program  to  determine  the  In-f light  vibration 
environment  of  the  guidance  assemblies  and 
synthesize  a realistic  test  for  each  assembly. 

Because  the  test  philosophy^  dictated  a con- 
stant rms  vibration  level  all  pertinent  vibration 
parameters,  l.e*  bandwidth,  peak  level,  and  rms 
level  were  easily  controlled.  Random  noise  with 
the  desired  power-spectral -density  shape  was  re- 
corded on  magnetic  tape  which  was  then  used  to 
provide  input  excitation  for  the  test.  The 
desired  vibration  level  was  maintained  at  the 
shaker  by  a gain  control  in  the  shaker  control 
consol Thus,  vibration  level  was  independent 
of  the  noise  level  recorded  on  the  test  tape. 


TO 


71 


FIGURE  I-L  COMBINED  ENVIRONMENT  TESTING  OF  MISSILE  ASSEMBLIES 


The  noise  was  shaped  by  passing  "white*  noise 
through  the  peak-notch  equalizing  circuitry  in 
the  shaker  control  console*  The  transfer  func- 
tion of  the  circuitry  was  adjusted  until  the  out- 
put power-spectral -density  shape  agreed  with 
measured  in-flight  vibration*  (in  Part  II  of 
this  paper*  several  figures  are  presented  showing 
plots  of  flight  vibration  and  time*}  The  output 
power-spectral -density  from  the  equalization 
circuitry  Is  equal  to  the  product  of  the  input 
power-spectral -density  and  the  square  of  the 
system  transfer  function*  Since  the  input  power- 
spectral  -density  was  constant  with  respect  to 
frequency  (white  noise),  the  shape  of  the  output 
power-spectral -density  was  proportional  to  the 
square  of  the  transfer  function* 

Effecting,  tfaejfcgfc 

All  test  assemblies  were  mounted  in  their 
appropriate  shaker  table  adapting  fixtures  and 
then  given  an  8 hour  pre-$oak  at  test  temperature* 
The  test  equipment  consisted  of  an  MB  Mfg*  Co. 
C-2Q0  vibration  exciter  {20,000  \b  rms  force 
class)  used  in  conjunction  with  a 90  kilowatt 
power  amplifier  and  control  console  capable  of 
generating  the  random  voltages  required*  Two 
planes  of  shake  (V  and  Z)  also  required  the  use 
of  a Wylie  Model  WM-450  oil  film  table*  Tem- 
peratures were  maintained  by  a Wylie  Model 
IC-109C  temperature  controller  used  in  conjunc- 
tion with  a Sperry  Utah  built  portable  tem- 
perature hood*  Before  the  test  was  set  up,  an 
oil  film  table  was  pre-heated  under  a temperature 
hood  for  30  to  45  minutes.  When  the  temperature 
soak  was  completed,  the  test  assembly  and  fixture 
were  removed  from  the  temperature  chamber  and 
mounted  on  the  oil  film  table  in  as  short  a time 
as  possible  (2  to  3 min)*  The  temperature  hood 
with  the  specimen  inside  was  mounted  again  on  the 
oil  film  table  and  the  required  cabeling  and  test 
accelerometers  were  connected  to  the  assembly* 

See  figure  I-!*  To  eliminate  fixture  effects* 
the  test  accelerometers  were  mounted  on  the  test 
specimen  rather  than  on  the  fixture*  The  system 
acceleration  voltage  transfer  function  between 
the  specimen  and  the  exciter  power  supply  was 
equalized  over  the  desired  frequency  band*  This 
process  took  from  20  minutes  to  1 hour  and  allow- 
ed enough  time  for  the  test  assembly  to  reach 
temperature  equilibrium  before  the  shake  test 
began.  After  equalization,  the  test  specimens 
were  subjected  to  random  vibration  levels,  as 
specified  in  the  Latin  square  process,  for  the 
prescribed  times  or  until  a failure  was  indicated 

Typical  Failure  Modes  and  Corrective  .Action 

Four  typical  failures  are  discussed  to 
illustrate  the  types  of  failure  modes  and  areas 
of  corrective  action  encountered  in  the  tests* 

The  failures  discussed  represent  an  engineering 
design  failure,  a vendor  component  quality  con- 
trol deficiency,  a vendor  component  design 
deficiency,  and  a workmanship  defect* 


Frequency  Regulator  (Engineering  design 
failure!*  Of  greatest  importance  was  the  re- 
peated  failure  of  two  identical  capacitors  in  the 
motor-field  drive  subassembly  of  the  frequency 
regulator.  The  capacitors  are  60  mfd,  30  volt 
tantalum  capacitors*  This  component  alone 
accounted  for  five  assembly  failures  and  ten  com- 
ponent failures*  The  principle  modes  of  failure 
were  either  fracturing  of  the  tantalum  lead  be- 
tween the  tantalum  slug  and  the  seal  washer  or  a 
seal  breakage  resulting  in  the  loss  of  elec- 
trolyte* See  figures  1-2  and  1-3. 

One  of  the  main  causes  of  this  failure  was 
the  packaging  design*  It  was  shown  that  the  re- 
sonant frequency  and  the  subsequent  excitation 
amplification  at  the  failure  location  occurred  at 
the  same  frequency,  see  figure  1-4*  Consequently 
the  capacitors  were  subjected  to  a severely  in- 
creased vibration  environment.  It  is  possible 
that  with  15  g rm$  of  vibration  excitation,  cap- 
acitor environment  was  in  excess  of  58  g rms  over 
the  frequency  spectrum  with  instantaneous  peaks 
of  200  g occurring  infrequently*  Because  these 
stress  levels  exceed  the  falling  component* s 
environmental  specification  a design  modification 
was  required. 

Sperry  Utah  redesigned  the  circuit  board  to 
reduce  the  total  resonance  condition  and  suggest- 
ed further  component  redesign  changes  to  the 
vendor* 

Guidance  Platform  (Vendor  Component  quality 
control  deficiency).  A different  mode  of 
failure  occurred  after  20  seconds  of  operation  of 
a guidance  platform  at  5 g rms  vibration.  A 1 
mfd  teflon  capacitor  in  the  yaw  pre-amplifier  in- 
tegrator had  failed  because  of  insufficient 
dielectric  terminal  wrapping*  Analysis  of  the 
Component  revealed  that  an  inserted  tab  lead  had 
pierced  the  teflon  dielectric  and  shorted  one 
winding*  It  was  also  found  that  the  two  0.5  mfd 
windings  were  insufficiently  restrained  in  the 
"bathtub*  case  by  teflon  waste  thus  allowing 
excessive  lateral  movement*  The  failure  mode  was 
classed  as  vendor  quality  control  defect  since 
considerable  effort  was  expended  with  the  vendor 
early  In  the  program  to  effect  a capacitor  design 
consistent  with  Sergeant  environmental  require- 
ments. See  figures  1-5  and  1-6* 

Control  Surface  Actuator  (Vendor  component 
design!!  The  Sergeant's  control  surface  actua- 
tor  assembly  was  vibrated  in  the  3C  plane  at  20  g 
rms.  After  36  seconds  of  vibration  a 10  kilohm 
telemetry  potentiometer  wiper  intermittently 
lifted  off  the  pot  and  caused  a noisy  output*  An 
investigation  showed  that  the  wiper  support  slip"' 
ped  laterally  on  the  control  shaft*  The  support 
was  positioned  on  the  shaft  by  bonding.  The 
vendor  has  since  improved  the  potentiometer  de- 
sign by  adding  spacers  between  the  three  wiper 
assemblies  to  preclude  slippage  of  the  wipers* 

See  figures  1-7  and  1-8.  Since  this  failure 


72 


73 


FIGURE  1-2.  FREQUENCY  REGULATOR  SUBASSEMBLY  SHOWING  CAPACITORS  WHICH  FAILED  IN  VIBRATION 


CC 

O 

t 

o 

< 

CL 

< 

O 


li 

z o 

< LjJ 
h-  CO 


Q 

LiJ 


CO 

CO 

o 

a: 

o 


ro 


H 

UJ 

cr 

3 

O 


74 


75 


TAB 

FIGURE  1-6.  FAILED  TEFLON  CAPACITOR, 
CROSS  SECTION 


77 


78 


FIGURE  X—  7.  MISSILE  FLAP  ACTUATOR  SHOWING  POSITION  POTENTIOMETER  WHICH  FAILED  IN  VIBRATION 


FIGURE  1-8.  GANG-POTENTIOMETER,  CROSS  SECTION 


79 


occurred  on  a non-tactical  component  the  failure 
was  not  considered  pertinent  in  the  statistical 
evaluation  of  the  reliability  indice  for  this 
assembly* 

NB  Quadrant  Antenna  Assembly  (Workmanship 
error )7 The  northeast  quadrant  antenna  assembly 
of  the  missile  consists  of  two  DO VAP  antennas# 

The  receiving  antenna  (36*9  me)  detects  ground- 
transmitted  signals  which  are  then  amplified, 
doubled  in  frequency,  and  retransmitted  to  the 
ground  by  means  of  the  transmitting  antenna 
(73*8  me)*  The  function  of  the  DOVAP  is  to  aid 
in  establishing  velocity  and  position  information 
of  the  missile  during  flight*  Two  of  the  three 
NE  quadrant  antenna  assemblies  failed  because  the 
36*9  me  and  73*8  me  terminating  capacitors  were 
short-circuited  in  their  mounting  block  assembly* 
See  figures  1-9  and  1-10* 

These  failures  occurred  because  poor  in- 
stallation forced  one  of  the  capacitor  leads  to 
short  against  the  capacitor  case#  The  corrective 
action  taken  was  to  instruct  the  assembly  person- 
nel in  the  proper  assembly  techniques  and  to  in- 
scribe caution  notes  on  drawings  and  operation 
sheets#  Most  of  the  failure  modes  encountered 
as  a result  of  the  combined  operating  temperature 
vibration  environment  were  failure  modes  that  had 
not  been  observed  on  earlier  type-approval  and 
flight  acceptance  tests* 

Test  Problems 

Four  problems  are  discussed  to  illustrate 
the  type  of  test  problems  encountered  in  effect- 
ing the  program  for  the  first  time* 

Equipment  Operating  Mode*  The  Sergeant 
missile  is  designed  for  maximum. flight  time  of 
approximately  200  seconds*  During  this  time, 
the  guidance  computer,  an  analog  computer,  per- 
forms the  following  functions r 

(1)  Computes  missile  deviations  from  the 
programmed  trajectory  during  the  initial 
period  of  flight  and  provides  correc- 
tion signals  to  maintain  the  missile  on 
the  correct  trajectory* 

(2)  Computes  missile  deviations  from  the 
standard  range  position  during  the 
flight  and  provides  signals  for  drag- 
brake  closure  commands  for  vernier 
range  control,  and  the  final  phase 
maneuver* 

(3)  Provides  a warhead  arming  permit 
command  when  the  missile  is  within  pre- 
scribed range  and  azimuth  bounds* 

To  test  the  guidance  computer  functionally, 
a standard  trajectory  is  simulated  by  test 
equipment  but  the  standard  flight  time  is  com- 
pressed to  a 90  second  period#  During  this  sim- 
ulated flight,  functional  parameters  such  as  in- 
tegration and  cross-over  time  are  monitored  and 


compared  against  the  standard  performance  times* 
The  test  philosophy  dictates  30  minutes  of  vibra- 
tion per  test  level  if  no  failures  occur*  To 
utilize  existing  test  equipment  the  assembly  was 
subjected  to  repeated  simulated  flights  of  90 
seconds*  The  computer  was  rezeroed  and  the  para- 
meters were  reinserted  between  flights,  until  a 
failure  occurred  or  the  testing  time  was  com- 
pleted* The  control  assembly  tests  were  conduct- 
ed in  a similar  manner*  Satisfactory  test  re- 
sults were  obtained  but  the  test  setup  time  was 
excessive* 

Determination  of  Failures*  The  determina- 
tion of  catastrophic  failures  during  the  flight 
mode  was  not  difficult  but  the  determination  of 
non-catastrophic  failures  in  some  cases  presented 
problems*  For  example,  the  Bell  Accelerometer 
utilized  in  the  Sergeant  guidance  platform  is  de- 
signed with  a noise  threshold  limitiation  of 
approximately  15  g*  When  this  noise  threshold 
was  reached,  usually  within  one  second  of  vibra- 
tion at  15  g,  the  accelerometer  outputs  which 
were  monitored  as  a pertinent  performance  para- 
meter saturated*  The  initial  reaction  from  test 
personnel  was  that  a platform  failure  had  occurr- 
ed* Although  the  problem  was  basically  simple,  a 
certain  amount  of  analysis  and  discussion  was  re- 
quired within  the  Engineering  groups  to  validate 
the  classification  of  the  failure  and  its  treat- 
ment during  the  rest  of  the  tests*  The  treat- 
ment was  to  ignore  the  accelerometer  performance 
at  the  higher  vibration  level  test*  It  is  in- 
teresting to  note  that  Sergeant  guidance  plat- 
form performance  at  the  higher  vibration  levels 
exceeded  expectations*  This  performance  led 
Engineering  to  conclude  that  after  quality  con- 
trol type  defects,  (i*e*,  the  capacitor  construc- 
tion failure  previously  discussed)  have  been  re- 
solved the  guidance  platform  is  quite  reliable 
relative  to  its  complexity* 

Mo-Failure  Problem*  The  test  philosophy 
was  based  on  the  assumption  that  failures  would 
occur  during  tests*  Prior  to  testing  Engineer- 
ing did  not  assume  that  any  missile  assemblies 
would  show  no  failures*  This  ^failure  will 
occur”  view  was  held  not  because  of  pessimism  or 
lack  of  confidence  in  the  equipment  design  but 
rather  from  the  consideration  that  the  tempera- 
ture-vibration environment  over  the  limit  was 
extreme*  Because  some  missile  assemblies  did  not 
fail  during  the  tests  a different  statistical 
model  had  to  be  developed  to  replace  the  Latin 
Square  repeated  test-to-failur©  philosophy  to 
preclude  biasing  the  reliability  indices  too  con- 
servatively* The  extension  of  this  statistical 
theory  is  discussed  in  Part  II  of  this  paper* 

Operations  Problems*  In  evaluating  the  test 
program  itself,  major  difficulties  were  apparent 
in  obtaining  and  maintaining  the  test  equipment, 
equalizing  the  vibration  system  for  the  parituclar 
noise  tapes,  and  changing  equipment  to  conform 
with  the  randomization  pattern  for  test  specimens 
and  vibration  planes  imposed  by  the  Latin  Square 
design*  However  the  tests  were  facitilated 


81 


82 


FIGURE  I- 10.  CAPACITOR  BLOCK  ASSEMBLY,  MANUFACTURING  DEFECT 


through  scheduling  environmental  tests  only  when 
three  working  assemblies  of  each  type  were  avail- 
able and  utilizing  the  pre-soak  temperature 
chamber  to  condition  the  assemblies*  The  in- 
stitution of  the  pre-soak  chamber  effected  a con- 
siderable reduction  in  environmental  test  time 
and  the  number  of  shaker  plane  changes*  It  was 
generally  concluded  that  the  test  and  vibration 
equipment  itself  had  more  reliability  limitations 
than  did  the  Sergeant  hardware  under  test. 

In  a test  program  of  this  magnitude,  provid- 
ing an  adequate  supply  of  spare  parts  for  failed 
assemblies  in  a time  frame  consistent  with  the 
schedule  requirements  constitutes  a significant 
problem*  Sperry  Utah  attempted  to  resolve  this 
difficulty  by  predicting  in  advance  failure  modes, 
using  production  parts  for  repairs  and  by  re- 
stocking parts  as  they  were  used*  Typically, 
many  predicted  failures  did  not  occur  while  many 
non-predicted  minor  component  failures  did  occur 
thus  causing  repair  part  procurement  problems* 

The  author  has  no  particular  recommendation  for 
improvement  here  as  replacement  parts  coverage 
for  a reliability  test  program  should  be  evaluat- 
ed with  respect  to  overall  program  cost  and 
schedule  limitations. 


63 


PART  IT*  STATISTICAL  TECHNIQUES  APPLIED  TO  THE  SERGEANT  REPEATED  TEST-TO-FAILURE  PROGRAM 


Larry  Blundell,  Research  Engineer 
Sperry  Utah  Company 
Salt  Lake  City,  Utah 


Latin  Square 

The  design  of  the  reliability  test  program 
and  the  analysis  is  based  upon  the  following 
statistical  model*  Three  units  were  tested  at 
each  of  three  different  vibration  stress  levels 
for  a period  of  30  minutes  unless  a failure 
occurred  prior  to  30  minutes*  If  a failure  oc- 
curred, the  faulty  unit  was  repaired  and  retested 
for  another  30  minutes  under  the  same  qualifica- 
tion, If  no  failure  occurred  during  the  second 
30-minute  test  period,  a conservative  estimate  of 
time  to  failure  was  assumed  to  be  30  minutes* 

The  order  in  which  the  stress  levels,  (g) 
were  applied  to  the  items  is  shown  in  the  3x3 
Latin  Square  in  tables  IT-1,  2,  and  3.  An  es- 
timate for  the  mean  life,  which  is  different  for 
each  stress  level  at  which  the  unit  is  tested,  is 


rK 


JQ  " TJQ-»1 


K 


‘‘JLQ 


(1) 


where 

L a stress  level 

£ 

= total  time  for  which  the  Jth  unit  has 
been  stressed  at  the  Qth  stress 
level  applied,  and  at  all  previous 
stress  levels 

K = positive  integer 


Estimates  for  the  mean  life  are  shown  in  minutes 
in  the  Latin  square  in  tables  II-l,  2,  and  3* 

Table  II-l*  Latin  Square  - Frequency  Regulator 


Assembly 

Number 

Order  of 

Stress  Application 

1 

2 

3 

5 g 

10  g 

15  g 

1 

30  min* 

15  mi  n 

15* min 

o 

10  g 

15  g 

5 g 

15  min 

11  min 

30  min* 

15  g 

5 g 

10  g 

3 

8 min 

30  min* 

30  min 

^Assumed  Failure  Time 


Table  II-2  Latin  Square  - Control  Surface  Actuator 


Assembly 

Number 

Order  of  Stress  Application 

1 

2 

3 

1 

10  g 
30  min* 

15  g 
30  min* 

20  g 
11  min 

2 

15  g 
15  min 

20  g 
30  min* 

10  g 
30  min* 

3 

20  g 
30  min* 

10  g 
30  min* 

15  g 
15  mini 

Table  II-3 

Latin  Square  - Arming  Computer 

Assembly 

Number 

Order  of 

Stress  Application 

1 

2 

3 

5 g 

10  g 

15  g 

X 

30  min* 

30  min* 

1*7  min 

2 

10  g 
2.5  min 

15  g 
0.8  min 

5 g 

5.8  min 

3 

15  g 
7*5  min 

5 g 

2.9  min 

10  g 
15  min 

Test  for  Wearout 


To  test  for  the  existence  of  wearout  effects, 
it  is  necessary  to  adjust  the  mean  life  by  vary- 
ing Km  If  the  mean  life  is  estimated  correctly 
for  each  stress  level,  then  the  estimated  mean 
life  for  a given  stress  level  will  be  approx- 
imately the  same  whether  or  not  the  unit  had  been 
tested  previously*  Where  wearout  effects,  or  age 
effects,  are  successfully  compensated  for,  there 
will  be  no  significant  differences  between  the 
average  values  for  each  of  the  columns  in  the 
Latin  square*  If  K is  too  large  (too  much  in- 
fluence given  to  age),  then  each  mean  life  will 
be  overestimated*  Since  the  magnitude  of  the 
error  is  related  to  wearout,  the  columns  to  the 
right  in  the  Latin  square  should  be  progressively 
larger.  If  K is  too  small,  (too  little  influence 


85 


given  to  age),  then  each  mean  life  will  be  under** 
estimated.  As  before,  the  error  is  related  to 
age,  but  now  the  estimates,  and  hence  the  column 
averages,  will  be  progressively  smaller. 

The  proper  value  of  K was  determined  by  an 
analysis  of  variance  (table  II-4)  In  which  the 
natural  logarithm  of  the  mean  life  was  used  in 
the  square*  From  the  information  shown  in  table 
II-5,  a value  of  unity  is  the  best  estimate  for  K. 


Table  II-4  Analysis  of  Variance 


Source  of  Variation 

D,F. 

Statistical  Test 

SS  due  to  age  effect 
SSA 

2 

SSA 

—s r F(2-2) 

SS  due  to  stress  effects 
SSS 

2 

ssc 

it  FC2’2) 

SS  due  to  different  units 
SSy 

2 

S% 

““  F(2,2) 

SSg 

Error  SS  - $$£ 

2 

Total  SS  - SSj. 

An  average  of  the  three  estimates  for  the  mean 
life  at  each  stress  level  was  computed.  These 
values  were  substituted  into  equation  (2),  which 
was  expanded  in  a Taylorfs  series  about  initial 
estimates  for  A and  B,  The  resulting  values  for 
A and  B were  used  as  new  estimates  in  the  Taylor's 
expansion.  The  iteration  was  continued  until  the 
desired  accuracy  was  obtained.  Values  for  A and 
B determined  by  this  method  are  shown  in  table 
IT-4,  column  2, 

A second  estimate  for  A and  B was  obtained 
by  taking  the  natural  logarithm  of  the  average  of 
the  mean  life  for  a given  stress  level  and  fitt- 
ing a curve  by  standard  linear  regression  anal- 
ysis, These  values  are  shown  in  column  1 of 
table  II-6. 


Table  I 1-6  Estimates  for  A and  B 


Assembly 

Column  1 

Column  2 

A 

B 

A 

B 

Frequency 

Regulator 

-0.1028 

4.1253 

-0.0992 

4.0959 

Control 

Surface 

Actuator 

-0.0324 

3.8185 

-0.0391 

3,9248 

Arming 

Computer 

-0.1309 

3.2296 

-0.0678 

2,7727 

Table  I 1-5  Variance  Ratios 


Assembly 

K 

ssA 

ssE 

Frequency 

I 

1.8613 

Regulator 

2 

12.4414 

3 

16.2179 

Control 

1 

1 .0000 

Surface 

Actuator 

2 

4.5068 

3 

8,5969 

Arming 

1 

0.1949 

Computer 

2 

0.4141 

3 

0.5395 

i 

Earlier  studies  indicated  that  the  mean  life 
could  be  approximated  by 


9 

AS  t 1 

- 6 

where 

S 

= vibration  stress  level 

A,B 

= constants 

Reliability  Equations 

The  reliability  for  time  T is  given  by 
-TK  £-  (AS  + B) 

reliability  - £ (3) 

The  average  strength  is  defined  as  that  stress 
level  for  which  the  reliability  of  the  item  is 
0.50  when  tested  for  a time  period  T.  Sub- 
stituting 0,50  for  the  reliability  in  equation 
(3),  we  have  the  following  expression  for  the 
average  strength  as  a function  of  timer 

S = [k  LOG  T - LOG  (-LOG  0.5)  - b]  -S-  A (4) 

The  reliability  boundary,  F,  is  the  extreme 
stress  level  sustained  by  the  equipment  under 
service  conditions.  The  safety  margin,  defined 
as  the  number  of  standard  deviations  which 
separate  the  average  strength  from  the  reliabil- 
ity boundary,  is  given  by 

K LOG  T - LOG  {-LOG  0.5)  - 5 

- 

where 

o 

(j-  = residual  variance  arising  from  the 

estimates  of  A and  B. 


86 


NUMBER  OF  STANDARD  DEVIATIONS  ABOVE  STRESS  LEVEL  (G) 

RELIABILITY  BOUNDARY 


15 


RELIAB 

BOUND 

IUTY 

ARY 

0 5 10  15  20  25 

TIME  (MIN) 

FIGURE  H-l.  AVERAGE  STRENGTH,  FREQUENCY 
REGULATOR 


0 2 4 6 8 10  12  14  16 

TIME  (MIN) 

FIGURE  H-2.  SAFETY  MARGIN  , FREQUENCY 
REGULATOR 

87 


STRESS  (g  RMS)  TIME  (MIN) 


0 5 10  15 

STRESS  LEVEL  (G) 


IGURE  31-3.  MAXIMUM  SAFE  OPERATING  LEVEL  , FRE- 
QUENCY REGULATOR 


12  14  16  18  20  22  24 


TIME  (MIN) 

FIGURE  H-4.  AVERAGE  STRENGTH,  CONTROL 
SURFACE  ACTUATOR 


88 


O 2 4 6 8 10 

TIME  (MIN) 

FIGURE  OT-7.  AVERAGE  STRENGTH , ARMING  COMPUTER 


FIGURE  31-8.  SAFETY  MARGIN,  ARMING  COMPUTER 


90 


VIBRATION  (g  RMS)  TIME  {MIN) 


FIGURE  H-9.  MAXIMUM  SAFE  OPERATING  LEVEL, 
ARMING  COMPUTER 


FIGURE  H-IO.  EXTREME  FLIGHT  ENVIRONMENT  FOR 
FREQUENCY  REGULATOR,  COMPOSITE 
FOR  ROUNDS  37  AND  43 


91 


VIBRATION  (g  RMS)  VIBRATION  (g  RMS) 


20 


0 i 1 1 1 1 1 I l l 

0 10  20  30  40  50  60  70  80 


TIME  AFTER  LAUNCH  (SEC) 

FIGURE  H- II.  EXTREME  FLIGHT  ENVIRONMENT, 
CONTROL  SURFACE  ACTUATOR 


0 10  20  30  40  50  60  70  80  90  100  110 

TIME  (SEC) 

FIGURE  31-12.  EXTREME  FLIGHT  ENVIRONMENT, 
ARMING  COMPUTER 


92 


If  the  reliability  in  equation  (3)  is  0.95, 
the  corresponding  stress?  ST,  is  defined  as  the 
maximum  safe  operating  level  (MSOL).  The  95“* 
percent  lower  confidence  bound  for  the  MSOL  is 
given  by  1 

i“Y~ 

T « I (-LOG  0.95)  e 0o95  j (6) 

where 


0*95 


= is  the  value  in  the  *tw  tables  at 
the  95  percent  level  with  one 
degree  of  freedom,  and 


co  - 


H a [<r  (C0  + Cj  SL  + C2  Sf  ) 

3 


C1  = 


C2  = 


z 

L=1 

* l 

3 

Z esL-§)2 

L=1 

- 2 £ 

3 

Z 

L=1 

(sL  - s)2 

1 

3 

z 

(SL  - s)2 

L=I 


Graphs  of  the  average  strength,  safety  mar- 
gin, and  MSOL  for  the  frequency  regulator  used  in 
the  Sergeant  missile  are  shown  in  figures  II-l, 

I 1-2,  and  I 1-3,  respectively*  Corresponding 
graphs  for  the  control  surface  actuator  and  the 
arming  computer  are  shown  in  figures  II -4  through 
1 1-9* 

Flight  Reliability 


The  flight  reliability  corresponding  to  the  two 
different  estimates  for  A and  B is  shown  in  table 
1 1-7  * 


Table  II-7  Flight  Reliability 


Assembly 

Flight  Reliability 
(A  and  B are  taken  from  table  II-6) 

Column  1 

Column  2 

Frequency 

Regulator 

0.9916 

0.9915 

Control 

Surface 

Actuator 

0.9867 

0.9876 

Arming 

Computer 

0.9862 

0.9812 

Assemblies  Having  Wo  Failures 


The  motor-generator,  interconnecting  box, 
cable  assembly,  and  antenna  were  tested  to  the 
Latin  square  design.  The  vibration  levels  for 
the  motor-generator  were  5,  10,  and  15  g.  The 
interconnecting  box,  cable  assembly,  and  antenna 
were  tested  at  10,  15,  and  20  g. 

Because  there  were  no  failures  at  any  of  the 
stress  applications,  the  Latin  square  model  could 
not  be  used.  In  view  of  this  fact,  the  flight 
reliability  was  determined  as  follows? 

Let  the  probability  of  success  be  where  x 

is  equally  likely  to  have  any  of  the  values  0,1, 
2,  3 ...  m*  The  chance  that  the  first  n trials 
should  all  be  successful  is 


When  the  event  described  by  equation  (8)  has 
taken  place,  then  x ^ 0.  The  respective  pro- 
babilities that  x has  the  values  1,2,  ...  m 
become 


If  the  stresses  during  flight, ^ 
pressed  as  a function  of  time,  then 

J e-(A?  + B) 

reliability  »€  ^ 


, are  ex- 


K-l 


dt 


(7) 


N 

mn 

N 

(2V 

m + 1 

\m  j ’ 

m + 1 

W 

and  the  chance  of  success 
is 


N 

* * * nTTT 


(9) 


at  the  (n  + l)th  trial 


where 

T » time  of  flight 


(10) 


A graph  showing  the  in-flight  stresses,  ip  , for 
the  critical  vibration  axis  of  the  frequency  re- 
gulator is  shown  in  figure  11-10.  Corresponding 
graphs  for  the  control  surface  actuator  and  the 
arming  computer  are  shown  in  figures  II-ll  and 
11-12,  respectively.  The  flight  reliability  was 
determined  by  integrating  equation  (7)  with  the 
stress  as  shown  in  figures  11-10,  11,  and  12. 


or 


/-Ol+l 

/rtXn+l 

> xn+l 

+ 1 + . . 

• - ^ 

(m) 

[ml 

lm ) 

(U) 


93 


VIBRATION  (g  RMS)  VIBRATION  { g RMS) 


0 10  20  30  40  50  6 0 

TIME  AFTER  LAUNCH  (SEC) 

FIGURE  nr- 13.  FLIGHT  ENVIRONMENT, 

MOTOR -GENERATOR 


0 to  20  30  40  50  60 

TIME  AFTER  LAUNCH  (SEC) 

FIGURE  31-14.  FLIGHT  ENVIRONMENT, 
INTERCONNECTING  BOX 


94 


VIBRATION  (g  RMS)  VIBRATION  {g  RMS) 


0 10  20  30  40  50  60 

TIME  AFTER  LAUNCH  (SEC) 

FIGURE  31-15.  FLIGHT  ENVIRONMENT, 

CABLE  ASSEMBLY 


0 10  20  30  40  50  60  70  60 

TIME  AFTER  LAUNCH  (SEC) 

FIGURE  31-16.  EXTREME  FLIGHT  ENVIRONMENT, 
ANTENNA 


95 


PROBA 


EXPECTATION 


FIGURE  31-17.  POISSON  DISTRIBUTION 


0.04 

0.05 


When  the  numerator  and  denominator  of  equation 
( 1 1 ) are  divided  by  m,  the  denominator  can  be 
written  as 

ln  + 2n  + . „ . 4 mn  _ 1 in"1 

m n + 1 n + 1 2 

B,nm"2  B0n(n-1 ) (n-2)  m"4 

+ — + . . . (12) 

2!  4! 


Statistical  Limitation 

The  95-percent  upper  and  lower  confidence 
hounds  for  the  MSOL  form  a hyperbola  whose 
asymptotes  intersect  at  the  means  for  the  time 
and  stress*  Only  the  95-percent  lower  confidence 
bounds  are  shown  in  the  figures  for  the  MSOL*  As 
the  sample  size  increases*  the  slopes  of  the 
asymptotes  approach  the  slope  of  the  regression 
line.  In  fact,  for  large  samples  the  confidence 
bounds  are  approximately  parallel  with  the  re- 
gression line* 


where  B^,  B2*  * . ~ Bernoulli fs  numbers. 

Equation  (12)  can  be  rewritten  as 

— 4 terms  involving  negative  (13) 
n powers  of  m 

Therefore,  if  m is  increased  without  bound, 

1 


1 4 2 4 . . • 4 m 


n TT 


n 4 1 


(14) 


For  small  samples  the  hyperbolic  nature  of 
the  confidence  bounds  is  greatly  exaggerated, 
reflecting  the  lack  of  confidence  at  the  ends  of 
the  stress  intervals*  For  the  previously  dis- 
cussed assemblies  this  limitation  is  apparent. 


Expanding  the  numerator  of  equation  (10)  in  the 
same  manner  and  letting  m increase  without  bound 
gives 


Ia+1  ♦ 2n+1  + . 


4 m 


n41 


n 4 2 


1 

n 4 2 


Hence  the  chance  of  success  at  the  (n  4 l)th 

n 4 1 g,  > 

trial  is  — — r (15) 

n 4 2 


At  the  95-percent  level,  the  value  of  n is  18* 
Each  item  was  tested  for  a total  time  of  90 
minutes;  hence  an  extimate  for  the  mean  time  to 
failure  is  95  minuteso 

The  flight  environments  for  the  motor- 
generator,  interconnecting  box,  cable  assembly, 
and  antenna  are  shown  in  figures  11-13  through 
n-16,  respectively.  Based  upon  the  Poisson  dis- 
tribution and  an  expectation  of  0.003,  the  flight 
reliability  is  approximately  0.997.  (See  figure 
11-17  for  selected  values  from  the  Poisson  dis- 
tribution. ) 


97 


PART  III*  CONCLUSIONS  AND  RECOMMENDATIONS 


The  basic  statistical  test  philosophy  proved 
to  be  readily  adaptable  to  practical  test  applica- 
tion on  Sergeant  missile  assemblies* 

To  preclude  biasing  reliability  indices  too 
conservatively  for  "no-failure"  type  assemblies 
It  was  necessary  to  develop  a new  statistical 
analysis* 

Results  of  the  test  indicated  that  Sergeant 
missile  assemblies  are  not  subject  to  wearout 
effects  from  the  environmental  tests. 

The  repeated  test-to-f allure  program  iden- 
tified design,  component,  and  quality  control 
type  defects  that  were  not  discovered  by  previous 
type-approval  and  flight  acceptance  test  pro- 
grams * 

The  computed  in-flight  reliability  calculated 
from  the  repeated  test-to-f allure  program  agreed 
with  the  reliability  as  demonstrated  in  the  R & D 
missile  flight  test  program* 


BibUpgr.apte 

1*  White,  Da , Operational  Reliability  and 

Maximum  Safe  Operating  Levels  for  Expensive 
Equipment,  Proceeding  of  the  Sixth  Joint 
Mil it ary- Industry  Guided  Missile  Reliability 
Symposium,  presented  February  15-17,  I960, 

El  Paso,  Texas. 


9& 


A METHOD  FOR  DETERMINING  THE  COST  OF  FAILURES 


David  E.  Van  TIJn 
ARINC  Research  Corporation 
Washington,  D.C. 


Summary 

Cost  predictions  for  weapons  systems 
are  based  on  the  same  general  principles, 
and  developed  by  the  same  general  tech- 
niques, as  reliability  predictions  for 
equipments*  Therefore,  the  step-by-step 
procedure  for  developing  a mathematical 
model  for  cost  allocation  — on  which  the 
cost  predictions  are  based  — Is  analogous 
to  the  well-established  procedures  for 
developing  reliability  allocation  models* 
This  paper  presents  a sequential  set  of 
rules  for  establishing  a cost  model,  ex- 
emplified by  application  to  an  actual  Air 
Force  weapons  system. 

The  model  developed  for  a particular 
support  system  will  allocate  the  various 
expenditures  for  the  equipment  being  sup- 
ported. Expenditures  fall  within  the  cat- 
egories of  Investment,  Manpower,  Supplies, 
and  Time, 

A discussion  of  the  theory  behind 
cost  allocation  and  predictions  precedes 
the  presentation  of  the  rules  for  develop- 
ment of  a cost  model. 

Introduction 

Cost  predictions  for  the  support  of 
weapons  systems  are  evolved  in  much  the 
same  manner  as  reliability  predictions  for 
equipments.  The  three  basic  data-inputs 
to  each  are  of  the  same  general  nature,  A 
reliability  prediction  considers  (a)  char- 
acteristics of  parts,  (b)  the  collective 
functioning  of  parts,  and  (c)  the  effects 
of  part  variations  on  the  equipment  as  a 
whole,  A cost  prediction  considers  (a) 
actions  of  Individual  personnel,  (b)  fea- 
tures of  the  weapons  system  support  organ- 
ization, and  (c)  the  skill  of  support  per- 
sonnel, as  reflected  in  organizational 
efficiency. 

This  analogy  does  not  suggest  that 
support  costs  are  Independent  of  equipment 
characteristics,  any  more  than  reliability 
is  Independent  of  the  properties  of  metals 
or  of  the  dielectric  behavior  of  Insula- 
tors. However,  just  as  failures  occur 
when  some  basic  quality  of  a material  Is 
changed  out  of  tolerance,  so  costs  are  In- 
curred when  someone  performs  an  action  — 
fixes  an  equipment,  purchases  a part,  etc. 
The  analogy  can  be  carried  further.  Major 
contributions  of  any  reliability  predic- 
tion (in  the  course  of  its  development) 


are  the  detection  of  design  features  which 
may  tend  to  make  the  equipment  prone  to 
failure,  and  the  location  of  areas  In 
which  redundancy  can  be  employed  to  advan- 
tage. Similarly,  cost  studies  will  bring 
out  Improved  methods  of  organizational 
controls.  Evaluation  of  the  cost  of  each 
support  action  will  focus  attention  upon 
those  organizational  features  and  standard 
operating  procedures  which  incur  more  than 
their  fair  share  of  costs. 

A final  parallel  between  reliability 
and  cost  Is  in  the  methodology  one  employs 
In  the  study  process*  The  reliability  of 
an  equipment  depends  upon  its  detailed 
structure;  for  this  reason,  the  related 
prediction  theory  consists  of  a series  of 
instructions  which,  for  a given  equipment, 
will  outline  how  to  construct  its  relia- 
bility model.  Likewise,  one  can  follow  a 
documented  procedure  for  constructing  a 
cost  function  for  a given,  support  organi- 
zation, The  Inputs  to  a cost  prediction 
are  the  costs  of  actions,  materials,  and 
personnel,  and  the  frequency  with  which 
the  equipment  forces  support  action. 

At  this  point,  the  cost  analyst  di- 
verges from  the  reliability  engineer.  The 
actions  of  men  which  the  former  must  ob- 
serve are  carried  out  In  the  open,  and 
sophisticated  systems  exist  for  keeping 
track  of  relevant  events.  Therefore,  cost 
analysis  is  more  a problem  of  handling  all 
of  the  Information  generated  in  the  oper- 
ation of  a support  organization  than  a 
problem  of  conducting  basic  research.  For 
the  reliability  engineer  this  situation 
would  be  analogous  to  having  an  oscillo- 
scope hooked  up  to  every  wire,  a micro- 
meter to  every  wearing  surface,  etc.  From 
this  point  of  view,  a cost  analyst  is  In- 
deed In  a fortunate  situation. 

From  another  point  of  view  he  is  not 
so  fortunate.  Although  certain  phases  of 
the  support  organization  can  be  observed 
in  isolation,  the  only  way  in  which  the 
cost  of  the  time  which  materials  spend  In 
the  system  can  be  accounted  for  is  by  ob- 
serving the  system  as  a whole. 

The  cost  analyst  has  two  further  dis- 
advantages vis-a-vis  the  reliability  engi- 
neer: 

(1)  The  data  concerning  on-the-job 
performance  of  personnel  are 
also  used  by  their  superiors  to 


99 


evaluate  this  performance*  Hence  the 
complete  objectivity  (and  accuracy) 
of  such  data  Is  dubious,  at  best; 
such  data  must  always  be  investigated, 
and  inaccuracies  accounted  for  in  the 
final  results* 

(2)  Among  the  factors  inflating  the 
size  of  a supply  system  are  the 
delay-times  which  occur  between  the 
different  stages  of  the  system.  {These 
delay-times  .-must  be  assigned  a cost, 
charged  to  the  activity  responsible 
for  them.  One  way  of  doing  this  is 
by  counting  the  flow  of  new  purchases 
at  critical  points.  However,  the 
cost  analysis  may  be  complicated  by  a 
considerable  amount  of  interdependence 
between  the  different  parts  of  the 
support  system,  again  postponing  the 
full  usefulness  of  the  cost  model. 

In  the  third  section  of  this  paper 
are  listed  some  of  the  rules  for  con- 
structing cost  models,  exemplified  by  ap- 
plication to  an  actual  Air  Force  support 
system.  This  presentation  is  preceded  by 
a short  identification  of  costs,  and  a 
discussion  of  the  limitations  of  the  pre- 
sent methodology. 

In  the  final  section  is  given  a brief 
review  of  the  manner  in  which  cost  infor- 
mation developed  by  these  rules  can  be 
useful  in  the  decision-making  processes 
of  the  services. 

Expenditure  Headings 

A model  developed  for  a particular 
support  system  will  allocate  the  various 
expenditures  for  the  equipment  being  sup- 
ported. The  following  paragraphs  discuss 
what  these  expenditures  are. 

Investment 

The  "investment n category  includes 
most  of  the  fixed  expenditures  for  bases 
and  maintenance  and  supply  facilities; 
and  for  the  first  cost  of  weapons  and 
their  initial  stocks  of  supplies.  In  the 
new  DOD  costing  procedure,  this  category, 
does  not  include  operating  expenses. 
Therefore,  no  rules  are  given  herein  for 
allocating  Investment  expenses. 

Manpower 

This  heading  is  important  for  two 
reasons : support  personnel  are  in  chron- 

ically short  supply,  and  their  pay  and 
allowances  constitute  an  expenditure 
equivalent  to  that  for  supplies  and  for 
the  weapons  themselves* 

Rules  are  presented  in  the  last  sec- 
tion which  allocate  all  types  of  manpower 


direct,  supervisory,  managerial,  and 
administrative  — within  the  support 
organizations.  The  men  themselves  have  a 
support  system  that  provides  them  with 
training,  subsistence,  re-enlistment  bo- 
nuses, and  retirement  pay.  This  secondary 
support  system  will  be  reflected  in  the 
cost  model  as  an  increase  in  the  cost  of  a 
man-hour fs  labor.  The  methods  of  computing 
this  increase,  and  its  size,  will  be  left 
out  of  this  account;  the  cost  of  a man- 
hour^ labor  in  the  different  organiza- 
tions, ranks,  and  grades  will  be  regarded 
as  a parameter  of  the  model. 

Supplies 

Supplies  are  the  first  source  of  ex* 
penditure  coming  to  mind  in  the  considera- 
tion of  support  costs.  Supply  costs  form 
the  third  visible  source  of  expenditure. 

Time 

Time-delays  act  to  inflate  the  supply 
system.  They  contribute  an  invisible 
source  of  expenditure  that  must  be  charged 
to  the  responsible  activity. 

Procedure  for  Constructing 
An  Allocation  Model 


A step-by-step  procedure  for  develop- 
ing a cost-allocation  model  is  presented 
in  the  following  section.  Application  of 
the  sequential  set  of  rules  will  yield  a 
model  for  making  monthly  estimates  of  the 
cost  of  supporting  a particular  weapon 
system.  The  cost  will  be  distributed 
among  the  various  units*  of  the  system, 
with  a residue  left  over  for  assignment  to 
parts  which  cannot  be  rationally  distrib- 
uted back  to  any  particular  units.  The 
allocation  takes  the  form. 

Total  cost  = Cost  of  unallocated 
parts  + V (cost  of 
units)  ^ (l) 

The  costs  of  units  are  further  sub- 
divided into  costs  at  different  echelons; 
at  each  echelon. 

Cost  of  unit  = Cost  of  equipment  + 

Cost  of  maintenance 
+ Cost  of  supply.  (2) 

The  connection  between  echelons  is 
made  at  two  points:  (l)  the  cost  charged 

the  lower  echelon  is  dependent  upon  events 
at  higher  echelon;  (2)  some  of  the  costs 
at  the  higher  echelon  arise  from  units 
charged  back  from  lower  echelons  to  cover 


*The  term  ,funit, 11  as  used  here,  refers 
to  the  weapons  system  or  any  of  its  identi- 
fiable subsystems. 

100 


inventory  inflation  caused  by  increased 
lags  in  deliveries  from  the  higher  eche- 
lon* 

At  each  echelon,  continuing  from  Equa- 
tion (2),  maintenance  and  supply  costs 
are  made  up  of  manpower  and  material  ex- 
penditures : 

Cost  of  maintenance  = Cost  of  man- 
power + Cost 
of  parts  used 
in  maintenance 
+ Cost  of  new 
units  charged 
to  maintenance . 

(3) 

Finally,  the  manpower  cost  has  been 
derived  in  such  a way  that  the  contribu- 
tion  of  different  organizational  features 
and  subdivisions  to  overhead  is  clearly 
established; 

Manpower  cost-»F(overhead  factors 
from  different 
sources)  (4) 

where  the  function,  F,  includes  the  organ- 
izational structure,  and  the  factors 
represent  the  extent  of  overhead  incurred 
in  the  overhead  sources  established  by 
this  organization. 


Allocation  Rules 

As  previously  stated,  the  rules  pre- 
sented in  this  section  can  be  used  to 
construct  a cost  allocation  model  which 
will  account  for  most  of  the  costs  incur- 
red in  the  support  of  weapon  systems. 

The  rules  are  designed  for  piece-wise 
construction  of  a model,  i.e.,  different 
parts  of  the  support  organization  at  dif- 
ferent echelons  will  be  represented  by 
different  terms.  The  way  the  pieces  are 
developed  ensures  maximum  sensitivity  to 
actual  events,  procedures,  and  organiza- 
tional features. 

Rule  1 

Every  weapon  system  support  organiza- 
tion will  contain  maintenance  and  supply 
systems,  and  usually  several  echelons  of 
each. 

Draw  a flow  diagram  representing  the 
flow  of  parts  and  spares,  and  of  repaira- 
ble and  serviceable  items  between  the 
various  maintenance  and  supply  organiza- 
tions. Be  sure  to  note  the  time  delays. 

Example  r The  gross  flow  of 
parts  and  units  on  an  Air 
Base  is  diagrammed  in  Figure  1. 


From  the  flow  diagram,  derive  a for- 
mula which  will  have  the  form: 

Total  Charge  per  echelon  = Equip- 
ment charge  4-  Maintenance 
charge  4-  Supply  charge  (l) 

Note  that  Total  Charge  includes  all  units 
and  parts,  and  all  maintenance  actions. 

The  equipment  charge  represents,  for  ex- 
ample, the  cost  of  condemned  equipment, 
which  cannot  be  ascribed  to  either  organi- 
zation. With  the  aid  of  the  diagram  write 
for  each  term  in  each  echelon  an  equation 
of  the  following  form,  where  the  terms  and 
time-delays  are  identified  with  organiza- 
tions on  the  diagram. 

Maintenance  Charge  = Manpower  charge 
4-  Materials  charge  4-  Charge  for 
time  delays  in  the  maintenance 
system.  (2) 

and 

Supply  Charge  « Manpower  charge 
4-  Materials  charge  4-  Charge 
for  time  delays  in  supply 
system,  (3 ) 

Example  (cont!d):  (a)  In  Figure  1, 

the  delay  in  the  base  repair  of 
units  is  marked  (l),  the  delay  in 
delivery  of  NETS  units  to  base 
supply  is  marked  (2).*  (b)  The 

time  delays  chargeable  to  supply 
in  the  example  are  the  ones  mark- 
ed (3),  delivery  of  bad  units, 
and  (4)  and  (5),  which  are  delays 
in  the  ordering  of  new  parts  and 
units  from  depot. 


Rule  2 
Step  2.1 

Break  down  the  manpower  charges  among 
the  different  units  of  the  weapon  system. 

This  step  represents  a major  effort 
for  each  term  representing  organizations. 
It  has  been  accomplished  for  the  mainte- 
nance manpower  at  air  bases.  A detailed 
description  of  the  procedure  is  contained 
in  References  2 and  3*  A guide  to  per- 
forming this  task  is  presented  below. 


*The  method  of  computing  charges  for 
time-delays  is  described  in  Rule  3* 


101 


Step  2.1,1 


Obtain  a detailed  organization  chart. 
Draw  the  flow  of  work  assignment.  Estab- 
lish which  organizations  support  each 
unit,  and  which  overhead  functions  support 
the  direct  labor  in  each  sub-organization. 

Example  f cont *d) : Figure  2 is  a 

diagram  of  part  of  a base  mainte- 
nance organization.  Figure  3 
diagrams  the  flow  of  men,  materials, 
and  control  documents  at  an  Air 
Base, 

Step  a, 1,2 

Estimate  the  amount  of  direct  labor 
spent  each  month  in  each  subdividion  of 
the  organization  on  each  type  unit  (and 
type  part,  if  it  is  a supply  organiza- 
tion), Estimate  the  number  of  actions 
per  month  taken  in  support  of  each  type 
unit. 

Example  fcont’d) : At  an  Air 

Base,  the  values  mentioned  in 
Step  2.1*2  are  obtained  from 
the  AFM  66-1  Maintenance  Data 
Card  Systems.* 

Step  2,1*3 

Divide  the  overhead  labor  into  two 
classes:  (l)  Administrative,  which  is 

incurred  for  each  action,  (2)  Managerial, 
which  is  incurred  for  each  man. 

Compute  in  each  subdivision  a per- 
action  and  per -manhour  overhead  time 
charge,  as  well  as  an  overhead  cost  charge, 
using  the  information  from  Step  2.1  as  to 
which  actions  benefit  from  particular 
overhead  centers. 

Step  2,2 

Figure  in  the  dollar -cost  of  man- 
power , 

Step  2,2.1 

Estimate  the  amount  of  overhead  labor 
spent  each  month  in  each  payclass  and 
overhead  labor  category,  in  each  subdivi- 
sion of  the  organization 


*In  principle,  these  two  systems 
give  all  the  information  needed;  (they  do 
seem  to  provide  100^  coverage),  ARINC 
Research  Corporation  is  currently  inves- 
tigating their  accuracy,  A test  of  the 
sensitivity  of  costs  to  the  type  and  de- 
gree of  inaccuracies  found"  will  be 
instituted. 


Example  (confd):  At  an  Air 

Base  these  quantities  are 
obtained  from  the  AFM  66-1 
Exception  Time  Card  System, 

Step  2,2,2 

Estimate  the  cost  of  an  hour’s  labor 
in  each  category  in  each  subdivision  of 
the  organization. 

Example  (cont'd):  A weighted 

average  of  the  actual  hourly 
pay  in  each  Air  Force  work- 
center  is  available  from  the 
base  records. 

Step  2,3 

Combine  into  manpower  and  dollar - 
charges. 

Step  2,3*1 

After  accumulating  administrative- 
type  charges  between  management  levels,  a 
series  of  overhead  time  and  cost  factors, 
representing  the  overhead  Incurred  at  dif- 
ferent levels  for  that  subdivision,  can 
be  produced  for  each  subdivision  of  the 
organization.  This  procedure  yields, 
after  accumulation,  a listing  for  two 
levels  of  management,  of  the  form 


Subdivision 

Admin. 

Time 

Mgmt. 

Time 

Admin. 

Time 

Mgmt, 

Time 

Identity 

a 

m 

a1 

m 1 

Subdivision 

Admin . 
Cost 

Mgmt. 

Cost 

Admin, 

Cost 

Mgmt 

Cost 

Identity 

ca 

cm 

°a 1 

cmt 

Subdivision  Direct  Labor 
Cost 

Identity 

Example  (cont|djj  At  an  Air 
Base,  scheduling  and  motor 
vehicle  time  would  be  admin- 
istrative type  charges,  and 
management  would  be  a mana- 
gerial type  charge. 

An  example  of  cost-factor 


listing  is 

given  below. 

Workcenter 

26350 

No. 

a m a1  m* 

1.62  0.107  0.60  0.036 

c 

a 

m 

a'  m*  1 

2.55 

2,70 

1.64  4.01  1.21 

102 


(Numbers  are  obtained  from 
February  1962  Data  for  Walker 
AFB. ) 

Step  2.3.2 

Compute  the  per-action  time  and  cost 
charges ,,  by  the  following  formulas: 

t = P + Ql,  (4) 

where  t = time  per  action, 

1 = direct  time  on  this  action; 

and 


Step  3-1 

(a)  Obtain  a count  of  the  number  of 
serviceable s for  each  type  of  unit  de- 
livered to  the  supply  organization  of  an 
echelon,  and  the  cost  per  unit  (for  cost 
per  unit,  see  Rule  4)* 

(b)  Obtain  a count  of  the  number  of 
each  type  of  part  delivered  to  the  supply 
organization  at  each  echelon,  and  their 
costs* 

(c)  Obtain  a count  of  the  average 
monthly  backlog  for  each  type  unit  in  the 
maintenance  organisation,  divided  into  an 

(5)  "awaiting  parts"  class  and  an  "awaiting 
maintenance"  class* 


where  C ~ cost  per  action. 

Hence,  P,  Cp  and  Cq  contain  the 
overhead  time  and  cost  charges  for  the  sub- 
division by  which  the  action  was  performed. 
If  these  are  a,  ar,  ca,  ca1  for  administra- 
tive charges,  and  m,  m1,  cm,  cmt  for  mana- 
gement charges,  for  two  levels  of  manage- 


ment, then: 

P = a(l+m) (1+m1 ) + a* (l+m1 ) (6) 

Q = (1+m) (1+m*)  '7) 

cp  = a*ea  + a ' * ca*  + Vm  a 

+ cm, -m' (a1  + (l+m)a)  (8) 

CQ  = C1  + V"  + cvm'(1+m)  (9) 


Add  the  per-action  costs  and  times  over  all 
similar  units  for  the  month  considered* 
Compute  average  figures  for  the  cost,  time, 
and  direct  labor* 

Example  (cont *d) £ Part  of  such 
a listing  is  given  in  Table  1, 

The  first  column  identifies  the 
units*  The  succeeding  columns 
are,  in  order : time  (with  over- 

head), cost,  direct  labor,  number 
of  units  handled,  average  time, 
average  cost,  average  direct 
labor. 


(d)  Obtain  a count  of  the  number  of 
each  type  unit  condemned  by  the  mainte- 
nance organization. 

(e)  Obtain  a count  of  the  number  of 
each  type  unit  returned  to  a higher  eche- 
lon for  maintenance.  If  necessary,  dis- 
tinguish between  those  returned  for  legit- 
imate reasons,  those  returned  for  specious 
reasons,  and  those  returned  for  lack  of 
parts . 

(f)  If  there  Is  a parts  stockroom 
serving  maintenance  directly,  obtain  the 
cost  of  parts  delivered  to  this  stockroom 
during  the  month* 

(g)  Obtain  the  number  of  units  and 
parts  of  each  type  on  back  order, 

(h)  Obtain  the  cost  of  parts  used 
to  repair  each  type  of  unit  during  the 
month,  distinguishing  between  those  which 
came  from  a maintenance  stockroom,  and 
those  which  came  directly  from  supply. 

Only  units  and  parts  received  from  supply 
are  charged* 

Units  are  charged  by  the  following 
procedure : 

(a)  Units  received  are  charged 
against  equipment,  up  to  the  number  that 
are  either  condemned  or  sent  for  mainte- 
nance to  higher  echelon  for  legitimate 
reasons* 


Rule  3 

Allocate  the  monthly  material  costs 
to  units,  and  compute  the  charges  for  time 
delays*  By  the  setting  up  of  check  points 
where  delays  may  result  In  the  accumula- 
tion of  stock,  new  acquisitions  can  be 
charged  to  stock  accumulation  on  arrival. 
This  procedure  automatically  charges  time- 
delays  to  the  responsible  activity*  The 
appropriate  procedure  is  as  follows; 


(b)  If  any  units  are  left,  they  are 
charged  in  the  following  sequence; 

(i)  Against  maintenance,  up 
to  the  number  returned  for 
maintenance  to  higher  echelons 
for  specious  reasons* 

(ii)  Against  supply  up  to  the 
number  returned  for  maintenance 
to  higher  echelon  because  of 


103 


lack  of  parts,  provided  the 
parts  have  been  on  back  order 
more  than  a month. 

(ill)  Against  maintenance,  up 
to  the  average  monthly  backlog 
awaiting  maintenance. 

(iv)  Against  supply,  up  to  the 
number  which  are  awaiting  parts, 
for  which  the  parts  have  been 
back-ordered  for  less  than  a 
month . 

(v)  Against  the  higher  echelon 
supply,  up  to  the  number  that 
have  been  either 


by  Rule  (e),  one  of  the  five 
remaining  is 
charged  to  supply; 
by  Rule  (f),  three  of  the  four 
remaining  are 
charged  back  to 
the  depot; 

by  Rule  (g),  the  one  remaining 
is  charged  to 
supply. 

Hence  the  total  charges  are : 


To  Equipment  $ 5*000 
To  Maintenance  5*000 
To  Supply  2,000 
To  Depot  3*000 


(i)  on  back  order,  or 


Total  Charge  $15*000... 


(ii)  awaiting  maintenance 
for  parts  or  sent  for  repair 
for  lack  of  parts,  with  the 
parts  back  ordered  a month 
or  more . 

(vi)  Against  supply. 

Example : Suppose  on  an  Air  Base^ 

for  a particular  month^  fifteen 
units  costing  $1000  apiece  are 
received  from  the  depot,  and 
counts  are  as  follows: 


. . . which  was  the  expenditure  made 
by  the  base. 

The  base  stock  of  the  unit  has  risen 
by  ten,  of  which  three  are  needed  because 
of  delays  at  depot  (two  back-ordered,  and 
one  awaiting  parts  which  are  back-ordered), 
and  the  other  seven  are  needed  to  cover 
delays  in  maintenance  and  supply. 

Step  3 >2 


Parts  are  charged  as  follows : 


(a)  Three  are  condemned  and  two 
returned  to  depot  because  repair 
was  not  authorized. 

(b)  Two  are  returned  for  repair 
to  depot  because  of  ari  excessive 
work  backlog. 

(c)  None  are  sent  to  depot  for 
repairs,  because  of  lack  of  parts. 


(a)  Parts  used  in  equipment  repair 
are  charged  against  equipment.  Distin- 
guish for  each  part  type  between  those 
which  came  from  a maintenance  stockroom 
and  those  which  came  from  supply. 

(b)  Maintenance  is  charged  with  parts 
delivered  to  the  maintenance  stockroom, 
less  parts  from  the  stockroom  charged  to 
equipment . . 


(d)  The  average  monthly  backlog 
awaiting  maintenance  is  three. 

(e)  Two  are  in  maintenance  back- 
log awaiting  parts,  but  for  one 
unit  the  parts  have  been  on  back- 
order for  more  than  a month. 

(f)  Two  units  had  been  on  back 
order  when  the  fifteen  arrived. 


Then  by  Rule  (a),  five  are  charged 
to  equipments; 
by  Rule  (b),  two  of  the  ten 
remaining  are 
charged  to 
maintenance; 

Rule  fc)  does  not  apply; 
by  Rule  (d),  three  of  the 

eight  remaining 
are  charged  to 
maintenance; 


(c)  Supply  is  charged  with  the  re- 
maining parts,  less  those  (l)  charged  to 
the  maintenance  stockroom,  (2)  charged  to 
equipment  which  came  from  supply,  and  (3) 
on  back  orders  for  a month  or  more. 

(d)  Depot  is  charged  with  parts  on 
back-order  for  a month  or  more. 

(e)  Charge  as  much  as  possible  of 
the  parts  costs  against  particular  units. 

Example : Suppose  twelve  parts  of 

a type  arrive  during  the  month,  of 
which  six  are  delivered  to  bench 
stock.  Then  suppose  six  are  used, 
four  from  bench  stock,  and  two  from 
base  supply,  one  of  which  had  been 
on  order  for  six  weeks.  If  the 
parts  cost  $10  each,  then  the  fol- 
lowing charges  are  made : 


10b 


To  Equipment  $ 60 

To  Maintenance . . . $60-40=  20 

To  Supply $120-60-20-10=  30 

To  Depot  * * * 10 

Total * ..$120 

Again,  the  equation  balances,  for 
the  base  stock  has  risen  by  six 
items,  of  which  two  augment  the 
maintenance  stock,  three  the  base- 
supply,  and  one  covers  the  increas- 
ed time-lag  in  delivery  from  depot. 

Step  3*3 

Add  the  per-unit  materials  and  delay 
costs  obtained  from  Step  3*1  to  the  costs 
obtained  by  Step  3*2,  which  is  chargeable 
to  units,  to  obtain  a total  per-month 
cost  of  the  unit  on  the  particular  station. 

Not  all  the  parts  costs  obtained  by 
Step  3*2  will  in  general  be  chargeable  to 
units;  some  will  often  have  to  go  as  an 
overhead  charge  against  the  support 
system. 

Rule  4 

To  find  the  per  unit  cost  of  units 
arriving  at  a supply  point,  proceed  as 
follows : 

Step  4.1 

At  the  lowest  echelon,  only  units 
arriving  from  outside  are  assigned  a 
price.  Units  put  back  into  stock  after 
repair  are  not  priced,  nor  are  those  units 
counted  in  charging  materials  costs  to 
activities. 

Step  4.2 

At  higher  echelons,  only  units  leav- 
ing for  other  supply  points  are  assigned 
a price.  Where  units  arrive  from  still 
higher  echelons,  or  from  maintenance  at 
the  same  echelon,  the  price  assigned  will 
be  a weighted  average  of  the  price  charg- 
ed for  new  units,  and  the  cost  of  mainte- 
nance performed  at  that  echelon  on  re- 
paired units.  The  cost  of  maintenance 
includes  handling  and  delays,  as  describ- 
ed in  Rule  3* 

Example ; If  during  one  month, 

100  new  units  arrive  at  a depot 
from  a manufacturer  at  $1000 
apiece,  and  50  from  depot  mainte- 
nance which  have  cost  $400  apiece, 
then,  for  that  month. 

Total  Cost  of  Units  = 

(ioox$iooo)  + (5Qx$4oo)  = |8oo> 


Future  Development  and  Present  Use 
Present  Status  of  Model  Development 

In  the  Introduction,  a parallel  was 
drawn  between  reliability  theory  and  cost 
analysis.  The  rules  in  the  preceding 
section  are  of  the  same  form  as  the  rules 
for  constructing  reliability  models. 

Several  distinctions,  however,  can  be 
noted  between  the  present  states  of  the 
two  arts.  A reliability  text,*  after 
stating  rules  for  modeling,  will  discuss 
statistical  distributions  which  failures 
may  follow,  and  mathematical  methods  of 
finding  the  failure  distributions  of  more 
complicated  systems  from  simpler  ones. 

Due  emphasis  is  given  to  the  increase  in 
reliability  which  may  be  obtained  by 
introducing  redundancy.  For  cost  analyses, 
however,  historical  information  on  costs, 
distributed  into  the  categories  described 
in  the  foregoing  rules,  is  very  difficult 
to  obtain.  On  the  other  hand,  the  build- 
ing up  of  the  costs  of  more  complicated 
systems  from  the  costs  of  Its  constitu- 
ents is  primarily  an  additive  process, 
which  is  much  less  complicated  than  the 
combinatorial  processes  for  reliability 
models.  Finally  redundancy,  which  intro- 
duces many  of  the  difficulties  in  relia- 
bility analysis,  is  not  a recommended 
method  of  cost  reduction. 

Present  Use  of  Model  Parts 

The  rationale  from  which  the  alloca- 
tion rules  were  derived  was  to  view  cost 
information  as  indispensible  to  management 
control  and  decision-making.  Consequently, 
at  each  level  of  management,  the  cost- 
information  obtained  will  be  sensitive  to 
the  actions  controlled  by  management,  and 
to  Its  decisions.  The  higher  the  level  of 
management,  the  greater  the  scope  of  the 
organization  controlled  and  the  decisions 
to  be  made.  Correspondingly  less  detailed 
information  will  be  needed.  However, 
implicit  in  the  use  of  aggregated  infor- 
mation for  making  large-scale  decisions 
is  the  assumption  that  the  costs  which 
have  been  aggregated  are  optimum  and  that 
lower-level  decisions  will  be  made  from 
more  detailed  information. 

The  type  of  model  described  herein 
does  two  things:  it  develops  cost  data 

sensitive  to  the  smallest  piece  of  equip- 
ment and  the  lowest  management  level  that 
can  be  distinguished  in  the  data,  then 
gives  rules  for  aggregating  these  costs  to 
successively  larger  pieces  of  equipment 
and  higher  levels  of  management.  Each 


*See,  for  example.  Reference  4. 


105 


major  piece  of  the  model,  as  it  Is  develop- 
ed, will  serve  the  control  and  Information 
needs  of  a major  management  level.  Thus, 
the  model  which  distributes  maintenance 
manpower  at  an  airbase  exhibits  overhead 
costs  and  workloads  at  all  lower  levels 
of  management.  If  introduced  as  a routine 
method  in  the  digestion  of  base  mainte- 
nance data,  the  model  will  furnish  the 
cost  part  for  any  comparison  of  the  cost- 
versus-effectlveness  of  identical  organi- 
zations on  different  bases,  and  of  dif- 
ferent organizations  on  the  same  base. 

Use  of  The  Complete  Model 

Once  the  complete  model  has  been 
developed  and  historical  costs  in  the 
various  categories  accumulated,  informa- 
tion will  be  provided  at  all  levels  of 
management  of  support  systems.  For  cur- 
rent systems,  the  model  will  aid  in  the 
following  functions. 

Management  of  Current  System  The 
model  will  provide: 

(1)  Comparative  cost  data  on  the 
operation  of  major  subordinate  organiza- 
tions. 

(2)  The  complete  cost  of  the  present 
support  of  units,  to  ascertain  which  units 
might  repay  engineering  changes. 

(3)  Factors  which  measure  the  elas- 
ticity of  support  costs  to  the  frequency 
of  unit  failures,  and  the  direct  labor 
time  required  for  repair.  These  can  be 
used  to  evaluate  the  savings  to  be  obtain- 
ed from  projected  engineering  changes. 

(4)  Information  needed  to  compare 
the  costs  of  maintenance  at  different 
echelons j e.g,,  which  repairs  are  made 
cheaper  at  depot,  and  which  at  base  level. 

(5)  Information  needed  to  trade  off 
possible  support  savings  against  Increases 
in  fixed  Investment,  e.g.,  the  introduc- 
tion of  new  test  equipment. 

(6)  A simulation  tool  with  which 
suggested  changes  in  the  support  organi- 
zation can  be  evaluated  before  they  are 
put  Into  effect. 


on  a routine  basis,  the  Information  which 
management  needs. 

Planning  Good  current  Information 
Is  necessary  for  good  planning.  From 
sufficient  support-cost  information  — 
sensitive  to  equipment  characteristics, 
organizational  features,  and  the  charac- 
teristics of  manpower  — it  will  be  possi- 
ble to  derive  equations  to  predict  support 
costs  of  future  systems.  If  derived  in 
this  way,  the  equations  will  depend  on 
parameters  which  will  change  with  new 
weapons  systems;  hence,  the  equations 
will  be  easy  to  adjust  to  radically  new 
concepts. 

In  this  area  perhaps  the  biggest 
payoff  will  come.  With  the  new  planning 
concept*  which  depends  upon  estimating 
the  long-term  costs  of  programs,  good 
equations  for  future  costs  have  become 
indispensable  to  bringing  a concept  to 
fruition.  The  best,  as  well  as  the  easi- 
est, procedure  is  to  base  such  predic- 
tions on  a routinely-provided  series  of 
data,  which  are  both  sensitive  and  cur- 
rent. 


References 

1 Selective  Bibliography  on  Program 
Budgeting  in  the  Department  of 
Defense,  Issued  to  participants  in  the 
Costing  Work  Group  at  the  9th  MORS, 

Ft.  Monroe,  Va.,  April  1962, 

2 Special  Interim  Report  on  Cost  Studies, 
D.  E,  Van  Tijn,  ARINC  Research  Publiea- 
tion  No,  159-1 ”250,  dated  14  July  1961. 

3 Second  Special  Report  on  Cost  Studies, 
D.  E+,  Van  Tijn,  ARINC  Research  Publica- 
tion No.  206-1-277,  29  January  1962. 

4 A Revised  Course  in  Reliability  Theory 
and  Practice,  ARINC  Research  Corpo- 
ration Publication  No.  123-7-196. 

5 Novick,  D. , System  and  Total  Force 
Cost  Analysis,  The  RAND  Corporation, 
Research  Memorandum  RM-695,  dated 
April  15,  1961. 


Of  course,  many  of  the  tradeoffs 
listed  above  are  now  made,  and  made  every 
day.  However,  the  cost  part  of  the  equa- 
tion Is  usually  obtained  with  great  trou- 
ble on  an  ad  hoc  basis,  and  used  long 
after  the  circumstances  on  which  it  was 
based  have  changed.  The  kind  of  model 

described  would  automatically  provide  the  

Information  needed.  It  would  therefore 

be  more  often  used  than  circumvented,  and  *See,  for  Instance,  References  1 and 

would  be  current.  The  model  would  provide,  5. 


106 


MAINTENANCE 


SUPPLY 


activities 


actions 


units 

parts 


(l)  time  delays 

g good  units 

b bad  units 

NHTS  Not  Repairable 

This  Station 


FIGURE  1 

GROSS  FLOW  OF  UNITS  AND  PARTS  ON  AN  AIRBASE 


107 


108 


FIGURE  2 

SEGMENT  OF  A BASE  MAINTENANCE  ORGANIZATION  CHART 


FIGURE  3 

FLOW  OF  MEN,  MATERIALS,  AND  CONTROL  DOCUMENTS 


COST  ALLOCATION  PRINTOUT 


CV1 

OJ 


CM 

OJ 

CM 

IS- 

CM 

CM 

00 

LA  O 

OJ 

CM 

CM 

1 — 1 

l a 

OJ 

0J 

CM 

VO 

00 


on  on  vo 


IS- 

00 

OO 

O 

CM 

1 — 1 

1 — 1 

O 

OO 

VO 

LA 

* 

00 

CM 

CM 

Ch 

LA 

LA 

o\ 

00 

CT\ 

O 

00 

o\ 

o\ 

Ch 

1 — I 

1 — 1 

O 

1 — 1 

1 — 1 

1 — 1 

1 — 1 

1 — 1 

1 — 1 

I — 1 

§ 

OO 

• 

1— 1 

0 

IS- 

0- 

IS- 

OO 

00 

OO 

00  00 

00  rH 

E-i 

LA 

-=t 

-=t 

00 

LA 

LA 

LA 

00  H 

rH 

1 — 1 

OJ 

OJ 

LA 

1 — 1 

1 — 1 

CM 

CT\ 

C^ 

on 

OJ 

O 

O 

0 

0 

O 

O 

O 

O 

O 

o\ 

CM 

1 — 1 

H 

on 

CM 

CM 

00 

0J 

00 

IS- 

00 

LA 

• 

• 

• 

0 

• 

# 

» 

• 

♦ 

• 

# 

# 

CM 

0J 

-=t 

00 

LA 

CM 

0 

VO 

00 

LA 

0 

O 

O 

O 

O 

O 

O 

O 

0J 

IS- 

iH 

IS- 

LA 

0J 

G\ 

IS- 

VO 

VO 

1 — 1 

0J 

rH 

CM 

vo 

LA 

O 

LA 

LA 

00 

LA 

LA 

O 

-=J- 

VO 

Ch 

LA 

• 

• 

* 

• 

• 

» 

• 

• 

♦ 

• 

• 

• 

0 00 

Ch 

00 

00 

o\ 

rH 

on 

00 

Ch 

CM 

CM 

HO- 

ho- 

rH 

rH 

1 — 1 

rH 

CM 

(T\ 

rH 

<J\ 

rH 

-to- 

HO- 

HO- 

HO- 

HO- 

HO- 

HO- 

-=t 

rH 

VO 

HO- 

HO- 

HO- 

vo 

O 

VO 

vo 

0 

is- 

is- 

00 

CM 

O 

CM 

on 

rH 

-=3" 

00 

on 

on 

IS- 

CM 

IS- 

IS- 

-3* 

Eh 

• 

* 

* 

• 

• 

• 

• 

• 

• 

• 

LA 

cr\ 

c^ 

on 

CM 

00 

LA 

O 

rH 

00 

-=t 

rH 

LA 

CM 

rH 
1 — 1 

vo# 

vo 

on 

S 

rH 

IS- 

0 

rH 

on 

-=t 

0 

CM 

rH 

1 — 1 

rH 

1 — 1 

rH 

rH 

1 — 1 

rH 

LA 

LA 

LA 

P 

CM 

CM 

CM 

CM 

on 

on 

on 

on 

on 

on 

on 

on 

0 

PQ 

ffl 

pq 

pq 

pq 

pq 

pq 

pq 

pq 

pq 

pq 

pq 

0 

C5 

C5 

0 

0 

0 

C5 

0 

0 

cs 

<3 

0 

c? 

110 


GB360  196.10  $317.30  147.4  373  .5  .85 
GB36  196.10  $317.30  147.4  373  .5  .85 
GB3  610.80  $1,028.31  423.7  694  .8  1.48 


RESULTS  OF  A TEST -TO -FAILURE  PROGRAM  OK  ELECTRONIC  PARTS 


)P 


Icuis  M,  St,  Martin 
Staff  Engineer 

Array  Weapon  Systems  Management  Reliability 
General  I^piamic  s/Pomona  VJP51  c 

Pomona,  California 


Sumary 


General  dynamics /Pomona  as  the  prime 
contractor  for  the  MAULER  Weapon  System  is  con- 
ducting  a strong  reliability  program  according 
to  policy  established  by  AOMC,  One  of  the 
requirements  of  this  policy  is  that  reliability 
testing  of  components  to  failure  be  conducted 
in  order  to  determine  safety  margins.  The  safety 
margin  is  a statistical  relationship  between  the 
strength  of  the  component  and  its  use  environment. 

The  USA0MC  policy  was  implemented  by  a 
MAULER  Weapon  System  Test- to  -Failure  Plan*  This 
plan  established  the  objectives  and  scope  of  the 
test  program,  the  basis  for  selection  of  candi- 
dates and  test  environments,  a list  of  the 
candidates  and  environments,  uniform  test-to- 
failure  language,  uniform  test  method,  criteria 
for  judgment  of  test  results,  initiation  of 
corrective  action  on  failed  items,  test  reports, 
and  test  schedules. 

Forty- two  tests  on  twenty- three  parts  and 
seven  assemblies  have  been  completed;  some  items 
were  tested  in  more  than  a single  environment. 

The  environments  were  high  and  low  temperature, 
vibration,  shock,  and  acoustic  noise.  Twenty- 
six  of  the  tests  disclosed  adequate  safety 
margins.  The  other  sixteen  tests  resulted  in 
corrective  action  ranging  from  reducing  the 
stress  on  the  item  to  replacing  the  item  with 
one  of  adequate  strength. 

The  lead  time  gained  by  this  program  on  the 
potential  problems  has  been  a direct  benefit  of 
this  program.  Of  indirect  benefit  has  been  the 
increased  confidence  the  designer  has  in  the 
items  passing  the  test  which  allows  him  to  dis- 
miss doubts  and  concentrate  on  other  unknowns. 

The  author  recommends  the  use  of  test-to- 
failure  by  designers  in  selecting  and  evaluating 
components,  determining  the  failure  modes  of 
parts,  materials  and  assemblies,  and  identiiying 
"weak  links"  in  a system.  It  is  a discriminating 
test  of  subtle  changes  in  design  or  materials 
and  as  such  the  author  considers  it  useful  as  a 
quality  control  tool  or,  in  non -destructive 
configurations,  a powerful  screening  test.  He 
recommends  it  as  a prelude  to  the  design  of  a 
life  test  as  it  provides  data  on  the  behavior  of 
the  test  specimen  which  eliminates  much  of  the 
necessary  guesswork. 

Background 

The  MAULER  Reliability  Problem 

MAULER  is  a fast  reacting,  compact,  high 
accuracy  air  defense  system  for  forward  battle 


areas.  The  challenges  to  the  reliability  of 
MAULER  are  manifold  and  the  U,  5*  Ariry  expects 
these  challenges  to  be  identified  and  treated 
in  the  early  research  and  development  phases 
during  which  the  tax  payees  dollar  could  buy 
the  maximum  of  trouble-free  life  in  the  field. 

The  MAULER  Reliability  Program 

Two  major  MAULER  reliability  activities 
are  required  by  Army  Ordnance  Missile  Command; 
a determination  of  the  environmental  stress  or 
design  level  (Reliability  Boundary)  which  shall 
be  used  as  the  basis  for  selection  or  develop- 
ment of  parts,  sub-assemblies,  assemblies  and 
equipments,  and  an  intensive  laboratory  test- 
to-failure  program  of  critical  parts,  sub- 
assemblies,  assemblies  and  equipments  selected 
for  integration  into  the  system. 

General  Itynamics /Pomona,  in  agreement  with 
the  customer,  evolved  a broad  reliability 
program  which  would  utilise  all  the  reliability 
techniques  pertinent  to  the  problem  commensurate 
with  a balance  between  the  objectives,  the 
AOMG  requirements,  and  the  economic  resources. 
This  program  includes  a prediction  of  the 
field  reliability  to  identify  and  correct 
major  weaknesses,  an  estimate  of  the  field 
maintenance  required  to  keep  the  system  in 
operation,  establishment  of  reliability  goals 
to  be  achieved  in  desi^i,  a comprehensive 
analysis  of  the  environments  and  conditions  of 
use,  tests  of  the  susceptibility  of  the  elements 
of  the  system  to  failure  in  these  environments 
and  conditions,  a continuous  review  of  design 
paper,  guidance  in  selection  and  application 
of  parts  and  materials,  a demonstration  of  the 
degree  to  which  the  reliability  objectives 
have  been  met  in  early  models,  and  finally  an 
assessment  of  reliability  in  prototype  and 
tactical  hardware  with  appropriate  correction 
of  the  remaining  problems.  Coupled  with  these 
tasks,  there  is  the  reliability  engineer's 
obligation  to  assist  the  designer  in  identify- 
ing and  eliminating  problems  as  they  arise. 


The  Analysis  of  Environments 

The  analysis  of  environments  was  divided 
into  three  phases.  First,  a research  into  all 
available  data  on  natural  environments  was 
made.  Data  on  vibration,  shock  and  noise  were 
obtained  during  road  and  field  tests  of  vehicles 


111 


similar  to  the  MAULER  carrier*  The  results  of 
these  studies  were  incorporated  in  the  specifi- 
cations for  the  various  subsystems!  radars* 
computers*  power  generators*  missiles*  communica- 
tions* launchers*  etc*  Next*  the  Industrial 
Team  Membf  3 (Burroughs  Corporation*  FMC  Corp- 
oration* General  Dynamics /Electronics*  General 
Rynamic s/Pomona*  and  Raytheon  Company;  performed 
an  analysis  in  which  the  external  environments 
of  the  specifications  were  combined  with  the 
environments  generated  within  the  individual  sub- 
system* Finally*  the  subsystem  analyses  were 
combined  in  an  analysis  of  weapon  system  environ- 
ments in  which  interactions  between  subsystems 
were  identified*  These  analyses  give  reliability 
and  design  personnel  high  visibility  into  the 
problems  created  by  the  environments  and  help 
identify  areas  of  critical  weaknesses  for  use  in 
the  reliability  predictions  and  suggest  potential 
corrective  actions*  The  analyses  are  updated  as 
significant  changes  in  hardware  occur  or  accuracy 
of  environmental  data  is  improved* 

With  the  analyses  of  subsystem  and  system 
environments  in  hand,  the  Industrial  Team 
Members  were  able  to  compare  the  capabilities  of 
the  parts  and  assemblies  they  would  be  using 
with  the  conditions  of  use,  identify  those  items 
which  appeared  to  lack  the  necessary  capability* 
and  treat  the  anticipated  problem. 

Major  Features  of  the  MAULER  Test-to-Failure 
Program 

Tests- to -Failure  in  the  MAULER  program  are 
performed  by  the  Industrial  Team  Members*  These 
team  members  are  responsible  for  selecting  item- 
environment  combinations  for  test,  performing 
tests  and  analyzing  data,  making  decisions  on 
the  acceptability  of  the  tested  parts  and 
reporting  the  results  of  each  test  and  any 
ensuing  corrective  action*  The  Army  Weapon 
Systems  Management  Department  of  General  Dynamics/ 
Pomona  is  responsible  for  administering  the 
program.  The  administrative  details  are  contained 
in  a Weapon  System  Test-to-Failure  Plan. 

A part  is  selected  for  test  if  it  is  a high 
population  item*  a new  or  non-standard  item*  if 
it  has  an  unknown  response  to  an  environment,  or 
a history  of  failure*  A test  is  defined  as 
failure  of  all  parts  of  a sample  in  a single 
environment.  Failure  can  be  any  change  in  part 
characteristics  of  interest  to  the  test  designer 
and  it  is  not  limited  to  a permanent  change*  In 
the  earliest  phase  of  MAULER  development* 
testing  was  concentrated  on  piece  parts.  In 
later  phases  increased  emphasis  is  being  placed 
on  testing  sub -assemblies* 

Results  of  Tests 


Table  1 summarizes  the  results  of  the  forty- 
two  item-environment  combinations  tested  to  date, 
sixteen  of  which  revealed  combinations  unfavorable 
to  the  desired  reliability  goals*  Tests  typical 
of  each  part  type  category  are  discussed  below* 


Logic  Modules 

The  mode  of  failure  in  the  tests  of  Gate- 
Emitter  Follower  and  Flip  Flop  modules  was 
cracking  of  the  glass  envelope  of  computer 
diodes  during  and  after  exposure  of  the  encap- 
sulated modules  to  high  temperatures*  The 
defect  was  corrected  by  replacing  the  diode 
with  one  of  another  manufacturer  which  had  not 
exhibited  this  mode-  of  failure  in  other  test s- 
to-failure.  No  failures  occurred  during 
exposure  of  the  modules  to  four  times  the  end- 
use  level  of  vibration. 

The  Buffer  module  demonstrated  an  adequate 
safety  margin  in  high  temperature.  One  sample 
failed  catastrophically  when  the  test  signal 
was  not  propagated  through  the  circuit.  This 
was  attributed  to  a transistor  short  at  203«$°C. 
Six  samples  failed  for  degraded  performance 
when  signal  propagation  time  exceeded  tolerances 
and  one  circuit  failed  when  output  level 
drifted  outside  of  the  failure  criteria  for 
this  attribute.  The  remaining  three  samples 
were  arbitrarily  classed  as  failures  when  the 
test  equipment  cables  failed  at  2li8°C.  The 
effects  of  high  temperature  on  output  level  and 
waveform  are  shown  in  Figures  1 and  2* 


WAVEFORM 


TIME 

TOP -INPUT 

BOTTOM -OUT PUT  AT  248 °C 


Figure  1 


TIME 


RISE  TIME 


BOTTOM- INPUT 

TOP -OUTPUT  AT  248 °C 


Figure  2 


112 


TABLE  1 

RESULTS  OF  MAULER  ENGINEERING  MODEL  PHASE  TEST- TO- FAILURE  PROGRAM 


ITEM 

TYPE 

SAMPLE 

STRESS 

RELIABILITY 

TEST 

SAFETY  MARGIN 

DECISION  ON  ITEM 

SIZE  (N) 

BOUNDARY 

RESULTS 

X s 

TEST 

REQ’D 

ACCEPT  REJECT 

LOGIC 

2 IN  GATE 

10  MODULES; 

HIGH 

74°C 

179.2°C  18.3°C 

5.8 

6.7 

X 

MODULES 

& EMITTER 

TOTAL  N 

TEMP 

FOLLOWER 

WAS  15 
CIRCUITS 

X 

TRAILING 

5 

HIGH 

74°C 

177.8°C  19.8  °C 

5.2 

9.8 

EDGE  FLIP 

TEMP 

FLOP 

VIBRATION 

NO  FAILURES 

BUFFER 

5 MODULES; 

HIGH  TEMP 

74°C 

228.2°C  18.6°C 

8.3 

7.4 

X 

TOTAL  N 
WAS  10 
CIRCUITS 

LOW  TEMP 

-54°C 

NO  FAILURES  TO -74°C 

4 IN  GATE 

10  MODULES; 

LOW  TEMP 

-31.7°C 

-71.6°C  4.0°C 

9.95 

6.8 

X 

& EMITTER 

TOTAL  N 
WAS  15 
CIRCUITS 

VIBRATION 

NO  FAILURES 

6 IN  GATE 

2 OF  EACH 

NOISE 

150  DB  FOR 

NO  FAILURES  AT  160 DB 

X 

& COMP.  EMIT. 
FOLLOWER 

250  MS 

FOR  8.3  MINUTES 

COMPLEMENTARY 

1 

HIGH  TEMP 

72°C 

NO  FAILURES  AT  222°C 

X 

EMITTER 

LOW  TEMP 

-40°C 

NO  FAILURES  AT -78°C 

FOLLOWER 

(LIMIT  OF  EQUIPMENT) 

SHIFT 

15 

VIBRATION 

- 

NO  FAILURES 

X 

REGISTER 

10 

LOW  TEMP 

~34°C 

NO  FAILURES 

6.0 

X 

HIGH  TEMP 

81  °C 

103°C  5.2°C 

4.0 

X 

RELAYS 

2 POLE 

9 

VIBRATION 

lOG'S 

35.56'S  11.7  G'S 

2.2 

7.6 

X 

1/2  X 
CRYSTAL 
CAN  SIZE 
(VENDOR  NO.  1) 

10 -2000  CPS 

2 POLE 

9 

VIBRATION 

lOG'S 

35.5  G’S  11.7  G'S 

2.2 

7.6 

X 

1/2  X 
CRYSTAL 
CAN  SIZE 
(VENDOR  NO.  2) 

10 -2000  CPS 

2 POLE 

9 

VIBRATION 

lOG’S 

40.0  G’S  9.4  G’S 

3.2 

7.6 

X 

1 X 

CRYSTAL 
CAN  SIZE 

10  - 2000CPS 

4 POLE 

9 

VIBRATION 

lOG’S 

- 

- 

- 

X 

2 X 

CRYSTAL 
CAN  SIZE 

10- 2000  CPS 

6 POLE 

9 

VIBRATION 

lOG'S 

32.2  G’S  11.3G’S 

2.0 

7.6  ; 

X 

3 X 

CRYSTAL 
CAN  SIZE 

10 -2000  CPS 

FUSE- LINK 

15  NO 

WATT- M/SEC 

1920  WATT- 

952.7  97.1 

9.9 

6.7 

X 

SINGLE 

13  NC 

REQUIRED 

M/SEC 

840.8  102.5 

10.5 

6.9 

X 

OPERATION 

TO  FIRE 
RELAY 

RESISTORS 

1/8  WATT 
CARBON  FILM 

20 

HIGH  TEMP 

74°C 

144  °C  5.7  °C 

12.33 

6.4 

X 

1/10  WATT 
COMPOSITION 

20 

HIGH  TEMP 

60  °C 

187.3  °C  9.01°C 

14.1 

6.4 

X 

100°C 

9.7 

6.4 

X 

1/2  WATT 

157°C  10.3°C 

6.4 

COMPOSITION 

20 

HIGH  TEMP 

9.4 

X 

5.5 

6.4 

X 

1/2  WATT 
COMPOSITION 

20 

HIGH  TEMP 

100°C 

164.5  °C  5.9°C 

10.98 

6.4 

X 

1/2  WATT 
CARBON  FILM 

20 

HIGH  TEMP 

60°C 

180.5°C  12.8°C 

9.4 

6.4 

X 

100°C 

6.3 

6.4 

X 

1 WATT 
VARIABLE 

20 

HIGH  TEMP 

100°C 

201°C  11.8°C 

8.6 

6.4 

X 

113 


TABLE  I 

RESULTS  OF  MAULER  ENGINEERING  MODEL  PHASE  TEST -TO -FAILURE  PROGRAM  (COMrT) 


ITEM 

TYPE 

SAMPLE 

STRESS 

RELIABILITY 

TEST 

SAFETY  MARGIN 

DECISION  ON  ITEM 

SIZE  (N) 

BOUNDARY 

RESULTS 

TEST 

REQfD 

ACCEPT 

REJECT 

X S 

CAPACITORS 

GLASS 

20 

HIGH  TEMP 

60°C 

185. 3°C  11.9°C 

10,5 

6,4 

X 

1M°C 

7,2 

6.4 

MICA 

20 

HIGH  TEMP 

G0°C 

121  °C  17.45°C 

3.5 

6.4 

X 

100°C 

1.2 

6,4 

X 

SOLID 

TANTALUM 

20 

HIGH  TEMP 

90°C 

155°C  17.75°C 

3,7 

6.4 

X 

CERAMIC 

20 

HIGH  TEMP 

74  °C 

216°C  U.4QC 

12.5 

6.4 

X 

DIODES 

IN538 

40 

VIBRATION 

3 G'S 

NO  FAILURES  T0  25G'S 

X 

41- 200  CPS 

FROM  5- 200  CPS 

1N645 

20 

HIGH  TEMP 

74°C 

NO  FAILURES  TO  240°C 
(TEST  CHAMBER  LIMIT) 

X 

TYPE  A 

20 

HIGH  TEMP 

74°C 

NO  FAILURES  TO  260°C 
(TEST  CHAMBER  LIMIT) 

X 

VIBRATION 

10  G’S  PEAK 

NO  FAILURES  TO:  40  G'S 
FROM  10- 142  CPS,  60  G’S 
FROM  142 -2000  CPS 

X 

TYPE  B 

20 

HIGH  TEMP 

74  °C 

257  °C  23.5°C 

7.B 

6,4 

X 

TRANSISTORS 

2N70G 

12 

HIGH  TEMP 

74  °C 

NO  FAILURES  AT  250°C 

X 

VIBRATION 

5 G'S  <142  CPS 

NO  FAILURES  TO  25G’S 
<142  CPS 

X 

9G'S>142CPS 

NO  FAILURES  TO  45  G’S 
> 142CPS 

2N70G 

12 

HIGH  TEMP 

74°C 

1B4°C  8.4°C 

12.9 

7.0 

X 

TYPEC 

20 

HIGH  TEMP 

74°C 

103°C  23.8°C 

1.3 

6.4 

X 

Ml  SC 

PRINTED  CIRCUIT 
BOARD  CONNECTOR 

0 

HIGH  TEMP 

74  °C 

NO  FAILURES  AT  250°C 

X 

VIBRATION 

5G'S  < 142CPS 

NO  FAILURES  TO  25 G'S 
> 142  CPS 

9G'S>  142CPS 

NO  FAILURES  TO  45G’S 
> 142CPS 

PANEL  LAMP 

25 

SHOCK 

36  SHOCKS 
AT  ISOG'S 

NO  FAILURES 

— 

— 

X 

114 


Relays 

Table  1 shows  three  tests  on  relays  on 
which  corrective  action  has  not  been  determined 
at  the  time  of  preparing  this  paper.  The  study- 
referred  to  in  the  table  is  an  evaluation  of  the 
possibilities  of  replacing  electro mechanic a 1 
relays  with  semi-conductor  switches.  The  trade- 
offs under  consideration  here  are  weight*  space* 
11 open -circuit * leakage,  cost,  and  of  course, 
the  relative  reliabilities  of  the  original 
relays  and  the  proposed  switches. 

Reels tors 


The  first  test  on  a half -watt  carbon  compo- 
sition resistor  showed  an  inadequate  safety 
margin  in  high  temperature  at  a reliability 
boundary  of  100°  C.  The  variability  was  halved 
and  safety  margin  doubled  when  the  power  dissi- 
pated in  the  resistors  was  cut  in  half.  This  is 
compatible  with  the  recommendations  in  1 to 
derate  the  part  50$  at  100*0* 


The  high  temperature  tests  on  the  tenth 
watt  resistor  revealed  an  unexpected  mode  of 
failure  (see  Figure  3).  The  part  demonstrated 
an  average  temperature  coefficient  of  approx- 
imately one  part  per  million  per  degree  centi- 
grade below  22$ °C;  above  this  temperature  the 
coefficient  reversed  and  increased  to  a negative 
twenty  parts  per  million  per  degree* 


Figure  3 


Capacitors 

The  mica  capacitor  test  revealed  a tempera- 
ture coefficient  of  capacitance  seven  times  as 
high  as  the  part  specification,  MIL-C-5*  allows 
and  a safety  margin  much  too  inadequate  for 
MAULER'S  needs.  This  part  was  replaced  by  on© 
with  less  susceptibility  to  high  temperature. 

The  value  of  these  results  was  questioned  when 
consideration  was  given  to  the  high  reliability 
rating  given  this  part  in  2,  Mo  comparison  of 
the  test  results  and  Ref*  ^ can  be  made  because 
in  the  above  test  the  failure  criterion  was  one 
of  a transitory  performance  degradation  and  in 
Ref,  2 it  is  permanent  and  catastrophic. 


Solid  tantalum  capacitors  came  under 
scrutiny  in  this  program.  Three  failure  criteria 
were  used  when  the  capacitors  were  exposed  to 
high  tempera  turej  capacity  drift,  leakage 
current  less  than  one  milliampere  and  less  than 
one  microampere,  at  two  levels  of  applied 
direct  voltage.  The  first  test  at  full  rated 
voltage  gave  a mean  of  155  and  a safety 
margin  of  3*7  above  the  operating  temperature 
of  90* C,  for  the  one  milliampere  leakage  limit, 

A small  improvement  in  safety  margin  was 
realised  in  the  second  test  at  80$  of  rated 
voltage,  but  5*1  was  still  too  small  to  meet 
the  MAULER  definition  of  an  adequate  margin. 

The  one  microampere  leakage  safety  margin  was 
less  than  one  in  both  tests.  No  capacitors 
failed  either  test  for  a capacity  change.  The 
Industrial  Team  Member  has  elected  to  use  high 
reliability  tantalum  capacitors  of  the 
"Minuteman11  type. 

S emi -C onduc  tors 


The  tests  on  the  Type  G transistor  demon- 
strated an  inadequate  safety  margin  in  high 
temperature  using  a minimum  current  gain  of  ton 
as  the  criterion  of  failure.  An  interesting 
aspect  of  this  test  was  that  the  low  safety 
margin  resulting  from  the  test  was  explained  by 
the  part  vendor  on  the  basis  the  transistors  in 
the  test  were  "engineering  samples1*  and  had  not 
come  under  "normal  quality  control11,  so  a 
repeat  test  on  a sample  selected  by  the  vendor 
was  begun.  The  early  failures  in  the  second 
teat  were  enough  to  convince  the  Industrial 
Team  Member  the  transistor  was  indeed  undesirably 
unstable  and  the  item  was  deleted  from  the 
MAULER  circuits.  This  step  necessitated  rather 
extensive  redesign  as  the  replacement  device, 
2N706,  does  not  strictly  replace  the  Type  G, 

Conclusions 

Test-to-Failure  as  a Reliability  Tool 

It  is  the  opinion  of  General  dynamics/ 
Pomona  the  cost  of  this  program  will  be  returned 
many  times  over*  An  example  of  this  ultimate 
savings  to  the  customer  is  illustrated  by  the 
experience  on  the  Type  C transistor.  If  these 
tests  had  not  been  conducted,  the  need  to 
replace  this  item  and  redesign  the  circuits  to 
accommodate  the  more  stable  2N706  would  not 
have  become  apparent  until  two  years  later 
when  the  subsystem  involved  entered  environ- 
mental testing*  If  the  system  environmental 
test  sample  is  small  and  test  conditions 
abbreviated  in  the  interests  of  development 
program  economy,  as  is  frequently  the  case, 
test-to- failure  will  identify  failures  that 
would  occur  after  delivery  when  production 
hardware  is  exposed  to  the  extremes  of  end-use 
conditions.  Redesign  on  the  basis  of  test-to- 
failure  results  incorporates  a contingency  for 
errors  in  estimating  the  end-use  conditions  and 
degradation  In  the  strength  of  the  part  tested. 
An  example  where  MAULER  test-to-f  allure 


115 


eliminated  a problem  at  subsystem  qualification 
test  and  end-use  is  seen  in  the  case  of  the  mica 
capacitor*,  22%  of  the  200  mica  capacitors  in  a 
critical  subsystem  would  have  failed  when 
subjected  to  the  specification  high  temperature 
limit*  With  a failure  percentage  this  high, 
the  small  sample  of  subsystems  currently  planned 
for  qualification  testing  would  have  disclosed 
this  problem*  However,  it  is  doubtful  if  the 
qualification  test  would  have  revealed  anything 
wrong  in  the  1300  mica  capacitor  applications 
in  other  subsystems  but  performance  of  one 
MAULER  out  of  five  could  be  degraded  when 
exposed  to  the  high  temperature  end-use  environ- 
ment. A crash  program  of  failure  diagnosis, 
corrective  action  and  retrofit  at  the  subsystem 
level  would  have  cost  more  than  the  total  cost 
of  the  entire  test-to-failure  program  on  all 
items  at  all  Industrial  Team  Members. 

A comparison  of  the  variability  of  part 
strength  with  the  conditions  the  part  would 
experience  in  use  is  the  object  of  the  program 
and  this  comparison  is  being  made.  Test-to- 
failure  furnishes  data  on  behavior  of  parts 
under  stress  of  great  value  to  the  designer 
which  is  not  available  by  any  other  means.  This 
information  and  its  application  in  design 
improves  the  chances  of  delivering  reliable 
hardware.  These  same  data  can  be  useful  in 
reducing  cost  by  replacing  unnecessarily  strong 
and  expensive  parts  where  adequate  strength  is 
available  in  a lower  cost  item.  Another  cost 
reduction  can  result  from  recognizing  and 
eliminating  costly  environmental  protective 
features  which  test-to-failure  reveals  as  unnec- 
essary. 

Mopt  tests  generated  the  normal  distribution 
of  failures  assumed  by  the  method,  however, 
instances  of  distributions  other  than  normal 
have  been  noted.  Assuming  failure  of  the  un- 
failed items  in  a sample  when  a test  is  termin- 
ated prematurely  reduces  the  sample  deviation 
and  mean.  This  effect  should  be  considered  in 
judging  the  test  results. 

The  timing  of  these  tests  is  important,  if 
the  maximum  benefit  is  to  be  derived  from  them. 
The  MAULER  tests  are  being  run  concurrent  with 
that  period  when  the  designer  is  deciding  what 
parts  and  assemblies  he  should  use.  Having  the 
results  available  to  assist  in  these  decisions 
has  eliminated  the  cost  and  delay  involved  in 
making  the  changes  after  the  design  begins  to 
freeze  up. 

Test-to-failure  provides  the  answer  to  the 
question,  "What  happens  if  the  stress  on  the 
system  is  raised? n Taking  the  test-to-failure 
results  and  plugging  in  the  new  stress  level  as 
a new  Reliability  Boundary  in  the  calculations 
gives  a quick  estimate  of  the  new  safety  margins. 
No  additional  testing  is  required  and  the  calcu- 
lation is  made  in  seconds.  This  stresses  the 
importance  of  keeping  the  test  data  on  hand  for 
ready  use  at  any  time.  General  Dynamic s/Pcmona 


is  doing  just  this|  a summary  of  the  test  and 
its  results  is  included  in  the  MAULER  Standard 
Parts  List  catalog  and  a complete  file  of  test 
reports  is  available  for  use.  Incidentally, 
the  Industrial  Team  Members  are  submitting 
copies  of  these  reports  for  inclusion  in  the 
In  ter -Service  Data  Exchange  Program  (IDEP). 

Corrective  Action 

Every  test  which  revealed  an  incompatibility 
of  part  capability  with  the  conditions  of  use 
resulted  in  steps  taken  to  increase  the  margin 
between  part  strength  and  the  critical  stress* 

No  problem  was  dismissed  with  the  excuse  that 
the  unsatisfactory  item-environment  combination 
was  inevitable  and  MAULER  was  stuck  with  it. 

Positive  Correction  - If  a part*s  safety 
margin  was  inadequate  and  s tronger  parts  were 
available  at  a low  penalty  to  cost,  size, 
standardization,  etc . , correc tive  ac  tion  con- 
sisted of  a simple  substitution  of  parts  in 
the  design.  When  the  penalties  of  a part 
change  appeared  high,  the  alternate  corrective 
actions  were  evaluated  with  great  care.  An 
instance  of  a decision  with  a high  penalty  was 
the  substitution  of  the  2N706  for  the  Type  C 
transistor.  This  action  scrapped  the  design 
of  a large  portion  of  the  MAULER  computing 
system.  The  reliability  people  involved 
weighed  the  problem  and  its  solutions  carefully 
before  recommending  a change  of  such  Import. 

A situation  which  also  resulted  in  a major  re- 
design was  the  decision  to  replace  germanium 
with  silicon  semi-conductors. 

State-of-the-Art  Problems  - Not  all  the 
problems  disclosed  by  the  tests  had  solutions 
as  clear  cut  as  finding  a better  part  and  using 
it.  The  tests  on  relays  demonstrated  the 
desired  compactness  and  reliability  are  not  yet 
available  in  a single  relay*  The  designer  was 
instructed  to  examine  all  relay  applications 
and  evaluate  each  against  the  criteria  of 
failure  used  in  the  vibration  test-to -failure 
and  in  those  instances  where  the  requirements 
of  the  application  and  the  part*s  character- 
istics were  compatible,  the  relay  would  be 
used.  In  other  instances,  a slight  modifica- 
tion of  the  environment  by  isolation  or 
relocation  of  the  relay  might  suffice.  In  the 
remaining  cases,  if  they  are  few,  the  price  of 
a larger  relay  may  be  within  reason#  An 
alternate  solution  now  under  consideration  is 
replacing  relays  of  the  familiar  electro- 
mechanical type  with  semi-conductor  switches. 

Tantalum  capacitors  have  not  submitted 
readily  to  simple  solutions.  The  units  tested 
were  the  penultimate  of  the  reliable  types. 

The  decision  to  replace  them  with  the  higher 
reliability  "Minuteman11  types  was  made  after  a 
comparison  of  increased  MAULER  delivery  cost 
with  costs  of  field  failures  and  repairs  showed 
an  appreciable  decrease  in  over-all  cost  to 
the  Army. 


Il6 


Safety  Margins 


References 


An  unnecessary  limitation  to  the  usefulness 
of  this  method  as  a reliability  design  aid  in 
this  program  was  over -formalization  of  the  test* 
This  was  imposed  by  the  prime  contractor  in 
establishing  it  as  a major  step  in  demonstrating 
reliability*  Since  then  both  the  Army  and  the 
MAULER  prime  contractor  have  come  to  realize 
that  an  arbitrary  safety  margin  common  to  all 
item-environment  combinations  is  not  the  answer 
and  may  result  in  reliability  measures  whose 
cost  is  out  of  proportion  to  the  protection 
needed*  This  revelation  has  resulted  in  elimin- 
ation of  the  universal  safety  margin  and  the 
determination  of  the  protection  required  was 
left  up  to  the  designers  analyses  of  the  prob- 
lems and  their  trade-offs,  Ref*^. 

In  summary.  General  Dynamic s/Pomona  has 
concluded  test-to-failure  fills  a wide  gap  in 
our  knowledge  of  item  behavior*  It: 

(a)  Provides  a measure  of  item  strength 
in  any  environment  of  interest* 

(b)  Estimates  the  portion  of  the  popula- 
tion of  the  item  that  will  fail  at 
any  level  of  the  environment* 

(c)  Reveals  modes  of  non-catas trophic 
failure  at  any  level  of  the 
environment* 

(d)  Reveals  modes  of  failure  at  the 
catastrophic  failure  level  of  the 
environment* 

(e)  Provides  clues  to  failure  mechanisms 
in  assemblies  and  systems* 

(f)  Provides  failed  hardware  for  analysis 
to  strengthen  the  part  or  reduce 
environmental  stress* 

(g)  Provides  knowledge  for  determining 
effects  of  design  changes  of  load, 
location,  environment  level,  etc* 

(h)  Identifies  abnormal  items  in  a lot 
when  used  as  a non- destructive 
screening  test* 

(i)  Is  highly  sensitive  to  subtle  changes 
in  part  material,  design,  processes 
and  workmanship* 


1.  Application  Design  Notes  (Electronic 

Components),  ASE5A  Armed  Services 

Electro-Standards  Agency,  Fort  Monmouth, 

New  Jersey* 

2*  Reliability  Stress  Analysis  for  Electronic 
Equipment,  RCA  Technical  Report  5^^16-lc 

3*  Designing  Combined  Environmental  Tests -to- 
Failure  to  Yield  Effective  Reliability 
Indices,  V*  L*  Grose,  Boeing  Airplane  Co*, 
Test  Engineering,  May  1959 , page  10* 

iu  ARGMA  Procedure  for  Establishing  Practical 
Safety  Margins,  1 May  1961* 

Bibliography 

1*  ^Reliability  Through  Safety  Margins”, 

Robert  Lusser,  U*  S.  Army  Ordnance  Missile 
Command,  October  1958* 

2*  ”A  Study  of  Methods  for  Achieving  Relia- 
bility of  Guided  Missiles13,  Robert  Lusser, 
U*  S*  Naval  Air  Missile  Test  Center 
Technical  Report  No*  75*  10  July  1950* 

3*  ”General  Specifications  for  the  Safety 
Margins  Required  for  Guided  Missile 
Components”,  U*  S*  Naval  Air  Missile  Test 
Center  Report  No*  8ij.,  10  July  1961 
(Reproduced  by  Redstone  Arsenal, 

Huntsville,  Alabama) 

U*  “Testing  to  Specified  Limits  versus 

Testing  to  Failure”,  Robert  Lusser,  5th 
Joint  Military-Industry  Reliability 
Symposium,  Redstone  Arsenal,  15-17  October 
1958* 

5*  “Estimating  Reliability  as  a Function  of 
Stress/Strength  Data”,  J*  E*  Norman, 
Research  and  Development  Operations,  Amy 
Rocket  and  Guided  Missile  Agency,  Redstone 
Arsenal,  Alabama,  November  1961* 

6*  “Evaluation  by  Over  stress”,  W*  S*  Connor, 
The  Research  Triangle  Institute $ Industrial 
and  Engineering  Chemistry,  Vol*  53,  No*  6, 
June  1961,  page  73A-7UA* 


117 


Appendix  A 

An  Example  of  the  Use  of  Test- to -Failure  as  Aid 
in  Design  of  Other  Types  of  Reliability  Tests 

The  prime  contractor  used  the  test-to- 
faiTure  method  in  designing  an  accelerated  life 
test*  General  Dynamics/ Pomona  as  a result  of 
reliability  prediction  studies  had  concluded  an 
improvement  of  11$  in  over-all  system  reliability 
would  result  if  a recently  developed  resistor 
replaced  one  of  older  vintage*  The  only  basis 
for  this  conclusion  was  data  generated  in  tests 
by  the  vender*  GD/P  wanted  to  make  a quick 
comparison  between  the  reliabilities  of  the  two 
resistors*  In  the  interests  of  efficiency  and 
economy*  an  estimate  of  the  stress  levels  which 
would  precipitate  resistor  failures  in  a test  of 
reasonable  duration  was  desirable*  A test-to- 
failure  was  performed  which  generated  failures 
in  a few  seconds*  The  stress  (power  dissipated 
in  the  resistors)  was  raised  at  three  second 
intervals  until  failure  (a  permanent  change  of 
$%  of  nominal  resistance)  had  occurred  in  the 
entire  sample  of  both  resistor  types*  This 
developed  the  data  for  the  curves  shown  at  A^ 
and  Bx  in  Figure  h*  A second  set  of  curves* 

A2  and  was  generated  by  applying  increasing 
power  for  six  second  steps  for  a total  of 
0*1  hour. 


Fixed  stress  levels  for  the  accelerated 
life  tests  could  now  be  estimated  such  that  the 
tests  would  be  completed  in  about  ten  hours  at 
the  lowest  stress  level  on  the  stronger  part* 

The  levels  selected  were  2*5  and  k watts*  The 
failure  rate  of  resistor  B in  this  test  was 
approximately  one  hundred  times  that  of  resistor 
A*  as  is  seen  by  comparing  A3  with  B3  and  Al 
with  B^* 

The  candidates  for  the  test  were  selected 
on  the  basis  of  their  advertised  rating*  fll/2 
watt11*  Resistor  A is  eighteen  times  the  volume 
of  resistor  B*  This  test  revealed  that  failure 
rate  of  the  parts  may  be  a function  of  resistor 
volume.  Since  resistor  A is  too  large  to  use 
without  compromising  electronic  package  size, 
another  life  test  on  samples  of  resistor  A of 
nearly  identical  volume  ("l/Q  wattn)  was  per- 
formed* A third  level  of  power*  1*5  watts*  was 
run  on  both  the  "1/8  watt"  resistor  A and 
**l/2  wattu  resistor  B*  The  results  of  the 
added  tests  can  be  evaluated  by  comparing  Ag 
with  Bj,  Ag  with  and  A7  with  Bg*  The 
primary  conclusion  is  obvious*  even  the  M1  /8 
watt"  resistor  A has  a lower  failure  rate  than 
the  f,l/2  watt11  resistor  B.  Other  conclusions 
which  may  be  drawn  tentatively  from  this  test 
ares  Resistor  volume  may  be  a better  index  of 
reliability  than  rating*  and  wide  differences 
in  resistor  construction  methods  may  not  result 
in  wide  differences  in  reliability. 


Figure  4 


118 


Appendix  B 

Author’s  Reflections  on  Test-to- Failure 

Test -to -failure  has  made  a contribution  to 
the  MAULER  reliability  program  beyond  what  would 
be  expected  in  light  of  its  limited  acceptance 
in  the  industry.  Some  of  the  reasons  for 
rejecting  the  method  advanced  during  the  MAULER 
program  are  discussed  below* 

Test “to -failure  has  been  criticized  by  some 
for  the  reason  that  it  is  of  little  use  to 
estimating  part  life;  the  method  of  applying 
stress -level-to-f allure  data  to  a prediction  of 
time -to -failure  has  not  been  established*  An 
item  which  demonstrates  an  adequate  test-to- 
failure  safety  margin  may  do  teriorate  rapidly  in 
actual  use*  This  is  possible  but  an  item  which 
exhibits  an  inadequate  safety  margin  at  zero 
time  will  have  a high  rate  of  failure  in  use. 

A meaningful  life  test  involves  accumulation  of 
several  thousand  part  hours,  either  with  a large 
sample  of  parts  for  a few  thousand  hours  or  a 
small  sample  for  several  thousand  hours*  Test- 
to -failure  on  the  other  hand  requires  a much 
smaller  sample  for  tens  of  hours  and  it  does 
develop  a statistically  sound  estimate  of  the 
proportion  of  part  population  that  will  fail  at 
any  level  of  the  applied  stress.  The  information 
obtained  in  test- to -failure  is  of  value  in 
designing  a life  test  (see  Appendix  A). 

Another  criticism  leveled  at  test-to-f allure 
is  it  is  not  as  good  as  a qualification  test-to- 
specified -level  because  it  measures  strength  in 
only  one  environment  and  is  excessively  expensive. 
There  is  no  limitation  inherent  in  test- to - 
failure  against  using  any  and  all  environments 
desired,  combinations  included.  (Ref.  3) 

Like  qualification  testing,  the  sample  size  can 
be  any  economically  or  physically  convenient 
quantity,  a little  additional  time  is  required 
to  increase  the  stress  and  fail  all  parts  In  the 
sample,  and  the  added  data  analysis  can  be  per- 
formed in  minutes.  What  is  added  is  an  increase 
in  risk  of  finding  the  part  unsatisfactory!  viz., 
some  parts  rejected  by  this  program  met  the 
applicable  procurement  specification*  Tests  to 
specified  levels  such  as  qualification  tests  are 
aimed  at  getting  the  parts  through  without 
failure,  "tests -to-succeas 11 , Any  test  which  sets 
out  to  avoid  failure  is  not  a reliability  test; 
reliability  testing  must  generate  failures  if  a 
statement  about  the  probability  of  failure  is  to 
result*  On  this  premise  the  author  submits 
test-to -failure  is  a superior  reliability  test 
to  the  present  qualification  test* 

Test- to- failure  critics  claim  it  is  not  as 
good  as  qualification  tests-to-specified-level 
because  it  is  only  performed  once  and  therefore 
gives  no  protection  against  a degrading  change 
in  parts  production.  There  is  no  reason  for  not 
using  test-to- failure  to  requalify*  In  fact, 
because  it  yields  more  information  than  a test- 
to -spec  if  led- level  about  part  strength,  it  is 
more  sensitive  to  subtle  changes  in  part  design, 


materials,  and  processing*  A semi-conductor 
manufacturer  interviewed  by  the  author  stated 
he  used  the  method  to  compare  new  versions  of 
parts  with  old  to  assure  continuation  or 
improvement  of  part  strength*  This  suggests 
the  possibility  of  using  test -to -failure  for 
quick  assessment  of  changes  in  reliability  of 
^Darnell"  and  other  high  reliability  parts, 

A rather  interesting  criticism  against 
test -to -failure  is  that  it  destroys  the  sample 
for  later  use  in  experimental  hardware*  This 
is  true  of  destructive  tests -to-failurej  non- 
destructive tests  will  leave  samples  suitable 
for  experimental  hardware*  The  failed  parts 
are  useful,  particularly  if  the  part  demon- 
strates an  inadequate  safety  margin*  In  these 
failed  parts  reside  the  clues  to  improving 
them,  or  reducing  the  critical  stress  and 
achieving  an  adequate  margin.  Specimens  from 
a test  which  demonstrated  adequate  margin 
should  not  be  arbitrarily  discarded  either. 
Examination  of  these  may  reveal  failure  mechan- 
isms which  could  identify  potential  problems 
not  anticipated*  These  failed  parts  can  also 
disclose  failure  mechanisms  which  can  result 
in  secondary  failures  in  other  parts*  An 
example  of  this  is  the  negative  temperature 
coefficient  above  22$° 0 on  the  tenth-watt 
resistor  tested  in  this  program.  This  inform- 
ation will  help  the  designer  in  protecting 
parts  associated  with  these  resistors  from 
overload.  It  will  also  help  explain  why 
resistors  in  a system  have  dropped  in  value 
and  provide  the  clues  to  a fix.  Failed  diodes 
removed  from  the  Gate -knitter  Follower  and 
Flip-Flop  modules  were  returned  to  the  vendor 
who  upon  examination  of  the  failed  parts  was 
able  to  pin-point  the  defect  in  his  manufactur- 
ing processes  and  effect  a change  to  eliminate 
the  failure  mechanism*  Individual  circumstances 
dictate  whether  the  information  gained  from  a 
destructive  test-to-f allure  is  of  more  or  less 
value  than  the  cost  of  providing  additional 
parts  for  experimental  hardware* 

The  author  recommends  test-to -failure  for  use: 

As  an  Aid  in  Selecting  Farts  for  a Mew 

Design 

As  a design  aid,  test -to -failure  has  no 
equal  in  furnishing  data  about  the  behavior  of 
the  item  in  a critical  environment.  The  item’s 
ability  to  work  at  the  design  stress  level  and 
above  can  be  assessed.  Its  behavior  as  the 
failure  level  Is  approached,  how  it  behaves  in 
failing,  the  shape  and  parameters  of  the  failure 
distribution  are  revealed  for  the  inquisitive. 
And  the  wonders  of  failed  hardware  are  there 
for  study;  if  the  item  Is  too  weak  for  use  as 
It  stands,  clues  to  its  improvement  may  be 
found  in  its  remains* 


119 


To  Evaluate  the  Effect  of  Environment  Level 
Changes  on  Reliability 


Once  a test-to- failure  has  been  performed, 
there  is  no  need  to  run  another  test  to  determine 
the  response  of  the  item  at  a different  level  of 
the  environment®  Compare  the  distribution  of  the 
part  failures  with  the  new  level  and  the  answer 
is  available®  This  is  not  true  of  tests  to 
specified  level$  if  the  new  environment  level  is 
higher,  a new  test  must  be  performed® 

Use  it  to  Qualify  and  Re  qualify  Material 

and  Parts 

The  sensitivity  of  this  test  and  the  inform- 
ation it  reveals  about  the  strength  of  hardware 
make  it  a powerful  and  economic  method  to  estab- 
lish a desired  reliability  level  and  maintain  it 
in  production.  The  quality  of  some  items  can  be 
effectively  controlled  by  using  non-destructive 
failure  criteria,  thus  test-to-failure  can  be 
used  to  screen  out  the  weak  items  in  a lot® 

Use  it  as  an  Aid  in  Life  Test  Design 

The  example  given  in  Appendix  A demonstrates 
the  method^  usefulness  in  planning  a life  test, 
particularly  in  selecting  the  stress  levels  to 
be  employed  in  accelerating  the  test.  Life  tests 
for  comparing  the  reliability  of  two  or  more 
similar  items  are  not  necessary  if  comparative 
tests -to-failure  are  run®  The  life  of  a part  is 
improved  by  making  it  stronger  or  reducing  the 
stress  on  it  and  this  test  will  find  the  answer 
quicker  and  at  less  cost  than  a comparative  life 
test® 


120 


THE  HUMAN  AS  A MISSILE  SYSTEM  COMPONENT 

R.  F.  Chaillet  & A*  Steinberg 
Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 


The  Army  Ordnance  Missile  Command  (AOMC)  ap~ 
proach  to  missile  system  reliability  achievement 
is  through  strong  design  control  during  develop- 
ment, Human  engineering  is  one  of  the  principal 
controls  over  design.  As  the  missile  system 
development  phase  progresses,  design  weaknesses 
should  be  uncovered  by  design  review,  laboratory 
environmental  tests,  and  complementary  investiga- 
tion  and  analysis  prior  to  field  tests  of  the 
system.  System  tests,  then,  is  presumed  to  be  a 
demonstration  of  design  achievement. 

A study  was  made  of  approximately  1,000 
flight  tests  of  Army  missiles  at  various  test 
sites.  These  were  system  tests  which  are  usually 
conducted  under  optimal  conditions.  The  weather 
is  ideal,  the  target  position  is  generally  known, 
and  the  operator (s)  is  aware  of  the  firing  sched- 
ule. Thus,  test  failures  are  probably  less  fre- 
quent than  might  occur  in  a tactical  environment 
where,  in  addition  to  degraded  conditions,  emo- 
tional factors  are  multiplied.  However,  due  to 
the  lack  of  realistic  tactical  situations  for 
testing,  we  are  obliged  to  use  the  test  results 
available  for  information  concerning  system  de- 
sign achievement.  These  tests  present  little 
data  regarding  ground  support  equipment,  for  the 
test  is  principally  one  of  missile  achievement. 

In  this  context  then,  identifiable  human  errors 
were  studied  and  an  analysis  of  the  cause  of  fail- 
ure attempted.  A word  of  caution  however,  due  to 
the  paucity  of  reported  data  on  missile  flights, 
at  best,  our  ability  to  localize  each  failure  to 
a specific  malfunctioning  part  or  human  error  is 
questionable. 

Human  Engineering  and  Design 

Unfortunately,  our  system  tests  have  shown 
us  that  often  the  design  was  inadequate.  Design 
inadequacy  is  not  due  to  incompetency  of  design 
personnel  but  to  their  inability  to  be  specialists 
in  all  design  areas.  For  example,  the  designer 
may  be  told  that  his  design  must  operate  in  a 
cold  environment  of  -65°F.  His  concept  of  the 
operational  environment  may  not  extend  beyond  the 
work  bench  in  front  of  him  and  the  relatively 
comfortable  flow  of  conditioned  air  around  him. 

In  this  aura  of  job  satisfaction,  he  designs  and 
constructs  equipment  that  he  can  operate  and  main- 
tain very  effectively.  When  necessary,  he  can 
make  all  system  adjustments  with  ease.  His  bare 
hand  fits  into  each  area  and,  with  a minimum  of 
effort,  he  can  replace  parts.  He  is  not  in  any 
hurry  to  escape  his  environment  to  a warmer,  cool- 
er, or  safer  one  as  might  be  the  case  for  a sol- 
dier in  the  field.  The  designer  may  reason  "these 
adjustments  and  repairs  can  be  made  so  easily  that 
with  so  little  effort,  I can  miniaturize  the 


equipment  to  save  space"  and  in  so  doing,  make 
adjustment  of  the  equipment  at  cold  temperatures 
impossible.  Somewhere  in  the  design  process,  the 
interaction  between  the  equipment  and  the  operator 
becomes  lost  and  our  design  engineer  begins  to 
view  his  portion  of  the  system  as  if  it  were  the 
total  system. 

It  has  been  stated  that  "Machines  do  not 
operate  by  themselves".  This  is  extremely  impor- 
tant to  remember  as  our  systems  tend  toward  auto- 
mation. Automation  does  not  eliminate  the  man  it 
simply  changes  the  nature  of  the  task  he  performs. 
So  constant  serious  consideration  should  be  given 
to  the  human’s  task  as  we  automate  in  system 
design,  at  least  until  such  time  as  man  himself 
is  completely  replaced  by  machines. 

The  popular  concept  of  human  engineering  is 
that  of  tinkering  with  "knobs  and  dials".  Cer- 
tainly this  is  a portion  of  Human  Engineering, 
but  only  a very  small  portion.  You  may  have  heard 
the  phrase  "man-machine  relationships"  spoken  as 
though  it  were  some  witch  doctor’s  mumbo- jumbo, 
that  when  uttered,  will  mystically  eliminate  your 
problems.  Human  engineering  is  nothing  more  than 
an  application  of  the  scientific  method  to  systems 
design  to  achieve  the  best  feasible  assignment  of 
system  task  responsibilities  to  the  human  and/or 
the  equipment.  The  human  engineer  wants  to  study 
the  design,  to  relate  the  design  to  human  behavior 
data,  and  to  recommend  changes,  if  necessary,  that 
will  permit  his  component,  the  human,  to  perform 
effectively.  His  goal  is  to  educate  the  design 
engineer  in  terras  of  the  capability  and  limita- 
tions of  the  human  component. 

Human  Engineering  provides  distinctive  gains 
in  system  reliability  because  the  completed  de- 
sign will  reflect  reasonable  demands  on  the  human 
in  terms  of  system  operation  and  maintenance. 

For  example,  there  are  systems  in  use  today  that 
place  the  guidance  and  control  responsibility 
squarely  on  the  human  operator.  This  is  an  un- 
realistic assignment  when  one  considers  the  human 
parameters  of  response  time,  eye-hand  coordination 
under  stress  situations,  and  the  tendency  to  over- 
compensate when  correcting  previous  errors,  to 
mention  but  a few.  From  a design  viewpoint, 
though,  humans  are  very  inexpensively  mass  pro- 
duced guidance  and  control  systems  requiring  no 
unique  production  tools. 

At  AOMC  we  prefer  to  see  the  contractor's 
Human  Engineers  in  an  organizational  position  to 
assure  acceptance  of  their  design  recommendations. 
In  this  way,  the  human  engineers  can  work  with  all 
organizational  elements  on  a variety  of  projects, 
cross  indoctrinating  and  educating  as  they  work. 


121 


Cause  of  System  Failure  During  Test 

Unreliability  can  be  introduced  into  Missile 
Systems  at  the  time  of  manufacture  or  during  field 
operations.  Quality  control  should  detect  manu- 
facturing defects,  however,  we  have  had  situations 
where  the  quality  of  soldered  connections  went 
"out  of  control"  and  remained  undetected  until 
field  testing.  In  this  Instance,  all  missiles 
were  recalled  by  the  manufacturer  for  a secondary 
review  of  workmanship.  Except  for  this  isolated 
situation,  the  human  contributions  during  menu* 
factoring  processes  relating  to  failures  in  sys- 
tems testing  have  been  difficult  to  detect. 
Therefore,  they  will  not  be  considered  in  the  re- 
mainder of  this  paper.  We  are  not  minimizing 
this  aspect.  On  the  contrary,  this  entire  area 
should  be  studied  thoroughly  as  a possible  means 
of  Improving  reliability  and  reducing  the  number 
of  line  rejects  in  production. 

Flight  tests  that  have  failed  in  field  opera- 
tions as  a result  of  human  error  can  be  attributed 
to  one  of  three  principal  causes: 

1*  Maintenance  errors# 

2.  Pre- firing  adjustment  errors, 

3*  Operator  error  introduced  at  or  after 

launch. 

The  number  of  readily  identifiable  human  errors 
in  a system  testifies  to  the  design  inadequacy  of 
that  system.  Training  in  system  operating  proce- 
dures, when  used  as  a substitute  for  effective 
design,  highlights  the  human  errors  thereby  rais- 
ing the  hue  and  cry  "Pilot  Error"  and  thus  ab- 
solving the  system  of  any  blame. 

Types  of  Guidance 

Before  analysing  the  flight  data,  some  know- 
ledge of  the  types  of  guidance  techniques  must  be 
available#  With  respect  to  human  effects  on 
flight  tests,  AGMC  missile  systems  may  be  consid- 
ered as  automatic,  semi-automatic,  or  manual  dur- 
ing missile  flight#  By  this  criteria,  ballistic 
missiles  are  considered  fully  automatic  since  the 
course  cannot  be  altered  during  flight.  Hawk, 

Nike  Hercules,  and  Lacrosse  display  various  de- 
grees of  automation.  The  anti-tank  missiles,  SS- 
10,  SS-11,  and  Entac,  are  manual  and  the  operator 
is  a vital  part  of  the  guidance  loop  during 
flight#  As  may  be  suspected,  the  manual  systems 
have  the  highest  recorded  percent  of  system  fail- 
ures as  a result  of  human  error. 

Electronic  devices  in  the  semi- automated  sys- 
tems generally  replace  what  would  otherwise  have 
been  a manual  guidance  system.  Such  devices, 
whether  radar,  infrared,  etc,,  are  complex  to  con- 
struct, adjust,  and  test.  For  such  semi-automated 
systems,  the  major  human  error  contribution  to 
flight  failure  appears  to  be  introduced  during 
checkout  or  alignment# 


The  objective  of  firing  a missile  is  to  des- 
troy a target.  All  tests  that  fall  short  of  this 
objective  are  graded  as  failures.  Should  the 
missile  not  contain  a warhead,  a success  is  re- 
corded if  the  miss  distance  is  within  the  lethal 
range  of  the  warhead  scheduled  for  use  with  the 
missile  undergoing  tests.  In  the  case  of  Ground 
to  Air  Missiles  Circular  Probable  Error  (CPE)  in 
the  conventional  artillery  sense  is  not  considered 
an  adequate  criteria  for  reliability  scorekeeping 
since  the  problem  is  a three  rather  than  two  di- 
mensional one. 

Table  1 

Missile  System  Flight  Failures 


Human  Nike 

Error Hawk  Hercules SS-11 


Improper 

Maintenance 

11 

5 

0 

Preflight 

Maladjustments 

13 

1 

0 

Operator 

Error 

2 

1 

7 

Total 

26 

7 

7 

All  Failures 

Analyzed 

270 

303 

46 

Human  Error  to 
All  Failures 
Analyzed 

9.6% 

2,37* 

15.2% 

System  Data 

Hawk 


The  Hawk  is  the  AOMC  system  with  the  largest 
missile  parts  population,  and  therefore,  with  the 
greatest  missile  complexity.  It  is  also  the  most 
automated  in  flight  operations,  excluding  ballis- 
tic missiles# 

Of  the  26  identified  human  errors  causing 
flight  failure,  2 rounds  were  R&D  tests,  7 were 
Engineering  tests,  and  17  were  Troop  firings.  Al- 
most every  conceivable  error  occurred  within 
these  26  failures.  Some  of  these  errors  were: 

1.  Reversed  voltage  because  of  inter- 
changed leads . 

2.  Complete  sub- system  not  installed, 

3.  Maladjustments  of  synchros,  potenti- 
ometers, and  antennae# 

4.  Switches  left  in  the  'off*  position, 

5.  Plugs  and  screws  not  secured. 


122 


Another  odd  problem  was  where  damage  resulted  In 
connectors  because  of  heavy  probing  with  test 
equipment  by  maintenance  personnel. 

Nike  Hercules 

The  relatively  small  number  of  human  gener- 
ated failures  on  the  Nike  Hercules  testifies  more 
to  our  longer  experience  with  the  system  than  to 
a greater  inherent  reliability.  The  Hercules  was 
developed  from  the  Nike  Ajax  and  operator  and 
maintenance  functions  were  carried  over  in  the 
orderly  evolution.  Unfortunately,  many  of  the 
human  engineering  deficiencies  of  the  Nike  Ajax 
were  redesigned  into  the  Hercules  system.  The  7 
denoted  failures  represent  the  usual  garnet  of  neg- 
ligence  such  as: 

1.  Safety  leads  not  removed. 

2.  Switch  in  'test’  rather  than  'oper- 
ate' position. 

3.  Disconnected  leads. 

4.  Command  destruct  activated  prema- 
turely. 

SS-11 

The  series  of  Anti-Tank  missiles  tested  to 
date  use  similar  guidance  techniques.  These  in- 
volved an  optical  system  and  require  the  operator 
to  manually  acquire  and  control  the  missile  after 
launch.  For  these  systems,  failures  may  be  inad- 
vertantly attributed  to  operator  error  when  actu- 
ally functional  failure  may  be  the  mal factor.  For 
example,  test  results  indicate  the  missile  impact- 
ed the  ground  well  short  of  the  target.  The  oper- 
ator states  he  was  giving  an  up  command  at  the 
time.  The  operator  is  judged  to  have  been  com- 
pensating for  previously  given  commands.  A re- 
corder attached  to  the  operators  control  would 
have  permitted  a more  thorough  analysis  of  the 
operator's  contribution,  if  any,  to  the  flight 
failure  rather  than  accepting  subjective  judge- 
ment of  evaluating  personnel.  At  any  rate,  it 
is  apparent,  from  the  results  in  Table  1,  that 
functional  reliability  of  the  system  is  consider- 
ably greater  than  operator  reliability. 

SS-11  tests  analyzed  were  those  of  a particu- 
lar series  conducted  at  Redstone  Arsenal. 

System  Failure  - General 

In  general,  there  are  human  errors  contribut- 
ing to  missile  failure  in  every  system.  On  a La- 
crosse round,  the  operator  Improperly  set  a com- 
puter. On  Redeye,  fins  were  inserted  backwards, 
ignition  leads  were  cut  improperly,  and  failure 
to  uncage  a gimboled  component  prevented  the  pos- 
sibility of  success.  The  latter  type  resulted 
from  the  inability  to  perform  correctly  a simul- 
taneous two  hand  coordination  function*  This  oc- 
curred in  an  ideal  environment. 


In  the  broad  sense,  every  failure  might  be 
traced  back  to  the  human.  In  our  failure  analysis 
undefined  failure  causes  are  presumed  to  be  mater- 
ial deficiencies.  Obviously,  many  of  the  unde- 
fined failures  of  Hawk  and  Hercules  may  be  human 
errors,  so  our  conclusion  must  be  that  our  ratio 
of  identifiable  human  errors  to  total  failures  is 
very  conservative  for  these  systems. 

Conclusions 

1*  The  design  should  be  simple  with  a mini- 
mum of  test  requirements  and  a maximum  of  modular 
sub-system  items  that  are  replaced  but  not  repair- 
able in  the  field.  It  is  axiomatic  that  a soldier 
will  test  if  allowed  to  and  will  improvise  if  pos- 
sible. 

2,  The  opportunity  for  human  error  is  great- 
er in  the  'prepare  to  launch1  phase  of  complex 
and/or  automated  missile  systems  as  indicated  in 
Table  1* 

3.  Training  should  be  an  adjunct  to  effect- 
ive system  design  not  a substitute  for  it. 

In  closing,  we  would  like  to  emphasize  the 
difficulties  inherent  In  obtaining  data  to  sub- 
stantiate the  human  error  contribution  to  the 
various  identifiable  failure  areas  mentioned  ear- 
lier. We  feel  that  a more  rigorous  analysis  of 
each  missile  flight  failure  should  be  made.  This 
is  not  an  unreasonable  recommendation,  and  if 
done,  would  benefit  future  designs.  We  have  only 
to  witness  the  detailed  reconstruction  of  each 
commercial  aircraft  accident  and  the  resultant 
improvement  in  either  equipment  or  procedures  to 
realize  that  the  effort  expended  would  reflect 
large  gains  in  future  systems. 


123 


THE  BOLE  OF  HUMAN  FACTORS  IN 

WHITE  BOOM  MANUFACTURING  RELIABILITY 

Edward  I.  Gavurin,  Ph.  D. 

General  Electric  Company 
Missile  and  Space  Vehicle  Department 
Philadelphia,  Pennsylvania 


HSl1-  SUMMARY 

It  is  important  to  recognize  that  the  overall  re- 
liability of  equipment  is  not  only  a function  of  the  com- 
ponents of  which  it  is  comprised  but  also  of  the  individ- 
uals who  produce  it.  Consequently,  increasing  the 
reliability  of  the  production  workers’  performance  will 
also  increase  the  reliability  of  the  finished  product. 

This  paper  has  concerned  itself  both  with  the  role  which 
human  performance  plays  in  white  room  manufacturing 
reliability  and  the  techniques  for  optimizing  this  per- 
formance within  a controlled  environmental  work  setting. 
Consideration  has  been  given  to  the  effect  of  selection, 
training,  motivation  and  morale,  and  the  special  re- 
quirements for  glove-handed  operations  upon  the  re- 
liability of  the  white  room  workers. 

In  general,  all  of  these  factors  have  been  found 
to  be  inextricably  interwoven.  Recommendations  for 
increasing  human  reliability  in  white  room  operations 
were  made. 

INTRODUCTION 

In  recent  years  the  use  of  highly  controlled  en- 
vironmental work  settings  has  become  more  frequent. 
This  is  undoubtedly  due  to  the  fact  that  government  and 
industry  have  become  considerably  more  aware  of  the 
role  which  cleanliness  plays  in  the  fabrication  of  reli- 
able equipment. 

If  we  briefly  examine  a typical  white  room 
specification, 1 we  find  that  it  contains  special  require- 
ments relating  to: 

1.  temperature 

2.  humidity 

3.  pressure 

4.  dust  control 

5.  the  interior  finish  of  the  walls  and  ceilings 

6.  furniture 

7.  utilities 


8. 

fixtures 

9. 

lighting 

10. 

personnel  cleaning  chambers 

11, 

dust  preventative  clothing,  etc. 

In  addition,  such  a specification  also  calls  out 
the  special  regulations  and  procedures  which  white 
room  personnel  are  required  to  observe.  Examples  of 
some  of  these  are  as  follows: 

1. 

mitted. 

Excessive  coughing  or  sneezing  is  not  per- 

2. 

areas. 

Smoking  or  eating  is  prohibited  in  all  work 

3. 

Personal  articles  normally  carried  in  the 

pockets  such  as  keys,  watches,  coins,  handker chiefs, 
kleenex,  cosmetics,  etc. , are  not  permitted. 

4.  Special  dust-preventative  clothing  including 
boots,  caps,  and  gloves  must  be  worn. 

5.  Special  procedures  must  be  observed  in 
cleaning  shoes  and  utilizing  the  air  shower. 

6.  Finger  nails  must  be  scrubbed  and  cos- 
metics removed. 

7.  Eyeglasses,  if  worn,  must  be  washed  and 
dried  with  lint  free  tissue  prior  to  entering  the  white 
room,  etc. 

This  list  of  white  room  requirements  and 
regulations  is,  of  course,  by  no  means  complete. 
Nevertheless,  it  serves  to  indicate  the  peculiar  nature 
of  the  white  room  environment  and  the  working  condi- 
tions which  prevail  within  it. 

It  should  be  fairly  obvious  from  a review  of 
these  requirements  that  for  the  uninitiated,  this  is  a 
strange,  unusually  restrictive  place  to  work.  It  is  for 
this  reason  that  special  indoctrination  programs  pre- 
paring new  employees  to  meet  the  demands  of  this 
totally  unfamiliar  setting  have  been  developed  wherever 
white  rooms  exist. 


125 


Unfortunately,  management  very  often  naively 
assumes  that  the  unfamiliarity  of  the  white  room  situa- 
tion can  toe  readily  overcome  by  means  of  these  indoc- 
trination sessions  alone. 

Experience  has  shown  that  this  assumption  is 
erroneous,  although  such  programs  can  do  much  to  pre- 
pare the  new  employees  for  their  white  room  jobs.  A 
major  reason  for  this  is  the  fact  that  the  behavioral  re- 
quirements of  a particular  job  are  different  inside  the 
white  room  than  they  are  outside  of  it.  Consider,  for 
example,  the  nature  of  an  electronic  module  assem- 
bler's job  outside  the  white  room.  In  this  setting,  he 
usually  assembles  the  small  parts,  dressed  in  his  nor- 
mal work  clothing,  with  the  use  of  his  bare  fingers  and 
a number  of  personalized  tools  as  aids.  When  he  en- 
ters the  white  room,  however,  he  is  expected  to  ac- 
complish the  same  task  wearing  his  white  room  uni- 
form, gloves,  and  deprived  of  any  of  the  special  tools 
which  have  already  been  integrated  into  a well-devel- 
oped, smooth  and  successful  operation*  By  virtue  of 
these  seemingly  minor  changes  imposed  by  the  white 
room  environment,  we  have  nevertheless  changed  the 
behavioral  demands  of  the  job*  Glove-handed  finger 
dexterity  is  different  from  bare -handed  dexterity  and 
the  absence  of  familiar  aids  makes  it  necessary  for  the 
assembler  to  change  his  activity  in  order  to  accom- 
plish the  same  task  without  them-  Unfortunately,  the 
subtleties  of  such  differences  makes  them  difficult  to 
anticipate  and  their  adverse  effects  on  the  finished 
product  are  often  attributed  to  wrong  causes. 

The  aim  of  the  present  paper  is  therefore  to 
describe  techniques  and  procedures  which  the  writer 
has  employed  in  studying  human  factors  white  room 
problems  and  to  present  the  results  of  these  studies 
along  with  general  recommendations  for  maximizing 
human  performance  in  white  room  settings.  The  dis- 
cussion which  follows  will  therefore  concern  itself 
with  a number  of  critical  factors  which  singly  and  com- 
bined affect  workers1  performance.  Four  factors  will 
be  discussed — namely,  selection,  glove-handed  as- 
sembly, training,  and  morale  and  motivation. 

SELECTION  OF  WHITE  ROOM  PERSONNEL 

Since  a white  room  environment  is  in  many 
respects  alien  to  anything  which  most  workers  are  ac- 
customed to,  it  is  only  natural  to  consider  the  possibil- 
ity that  the  standard  selection  practices,  usually  em- 
ployed in  choosing  production  personnel  for  the  con- 
ventional production  job,  are  inadequate  or  inappropr- 
ate  for  the  pu rposes  of  white  room  selection.  That  this 
,1s  so,  has  already  been  alluded  to  in  the  introductory  sec- 
tion of  this  paper  and,  in  order  not  to  belabor  the  point, 
we  will  assume  that  the  matter  is  at  least  worthy  of  in- 
vestigation, Two  aspects  of  selection  must  be  consider- 
ed in  such  an  investigation.  These  are  skill  factors  and 
personality  factors.  The  former  refer  to  those  aspects 
of  the  worker's  behavior  which  constitute  his  technical 


proficiency,  while  the  latter  concern  his  psychological 
adjustment  to  his  work,  his  co-workers  and  his  physical 
surroundings.  These  two  aspects  of  selection  are 
equally  important  in  choosing  individuals  who  will  per- 
form their  jobs  reliably*  It  is  therefore  essential  that 
valid  selection  criteria  be  developed  for  each  of  them  in 
order  to  permit  us  to  predict  reliable  job  performance 
prior  to  placing  a worker  on  the  job, 

hi  a recent  study  performed  by  the  writer,  the 
following  steps  were  used  in  developing  the  skill  cri- 
teria for  white  room  personnel,  working  on  highly  com- 
plex electronic  communications  equipment  with  a very 
high  reliability  requirement. 

First,  a job  analysis  was  performed  on  each 
critical  white  room  job.  This  involved  a complete  re- 
view of  all  of  the  basic  tasks  of  each  job.  A detailed 
description  of  each  job  reviewed  was  written,  and 
served  as  basic  data  for  making  tentative  determinations 
of  the  types  of  aptitudes  necessary  for  successful  work 
performance* 

Second,  aptitude  tests  were  administered  to  each 
white  room  employee*  More  specifically,  the  General 
Aptitude  Test  Battery,  developed  by  the  United  States 
Employment  Service  and  consisting  of  twelve  individual 
tests  was  administered*  These  twelve  tests  measure 
the  following  nine  distinct  aptitudes : 

1*  general  intelligence 

2.  ability  to  comprehend  tne  meaning  of  words 

3.  ability  to  perform  arithmetic  operations 
quickly  and  accurately 

4.  ability  to  think  visually  about  geometric 
forms  and  to  comprehend  two-dimensional  objects 

5.  ability  to  perceive  pertinent  details  in 
objects  or  in  pictorial  or  graphic  material 

6.  ability  to  perceive  pertinent  details  in 
verbal  and/or  tabular  material. 

7 1 ability  to  coordinate  eyes  and  hands  or 
fingers  rapidly  and  accurately  in  making  precise 
movements  with  speed, 

8,  ability  to  move  the  fingers  and  manipu- 
late small  objects  with  the  fingers  rapidly  and  accu- 
rately* 

9,  ability  to  move  the  hands  easily  and 
skillfully.  2 

This  test  battery  was  administered  in  order 
to  determine  the  specific  combination  of  aptitudes 


126 


(specific  battery)  predictive  of  success  for  each  dis- 
tinct job  under  investigation*  Once  such  specific 
test  batteries  were  developed  for  each  white  room 
job,  they  could  be  compared  with  the  specific  bat- 
teries already  employed  to  select  workers  for  sim- 
ilar jobs  outside  the  white  room.  If  these  batteries 
were  identical  (i.  e,  consisting  of  identical  aptitudes) 
then  we  could  deduce  that  at  least  the  skills  neces- 
sary for  success  on  these  jobs  were  identical  inside 
and  outside  of  the  white  room.  If  the  specific  bat- 
teries were  different,  however,  the  new  specific 
batteries  developed  would  serve  as  selection  devices 
for  the  white  room  jobs. 

It  has  been  noted  above  that  skill  factors  rep- 
resent only  one  facet  of  white  room  selection*  The 
other  factor  is  the  personality  make-up  of  the  worker. 
Consequently,  the  development  of  suitable  selection 
criteria  must  also  take  into  account  personality 
traits.  The  Thur stone  Temperament  Schedule,  a 
personality  test  measuring  seven  distinct  personality 
traits  was  administered  to  each  white  room  employee. 
The  traits  measured  were  as  follows : 

1.  Active  (A),  A person  scoring  high  on 
this  trait  usually  works  and  moves  rapidly.  He  is 
restless  whenever  he  has  to  be  quiet.  He  likes  to  be 
"on  the  go"  and  tends  to  hurry*  He  usually  walks, 
writes,  drives,  and  works  rapidly  even  when  these 
activities  do  not  demand  speed. 

2*  Vigorous  (V).  A person  with  a high 
score  in  this  trait  participates  in  physical  sports, 
work  requiring  his  hands  and  the  use  of  tools,  and 
outdoor  occupations.  This  trait  indicates  an  empha- 
sis on  physical  activity  using  large  muscle  groups 
and  great  expenditure  of  energy.  This  trait  is  often 
described  as  " masculine' 1 but  many  women  and  girls 
will  score  high  in  this  area, 

3,  Impulsive  (I).  High  scores  in  this  trait 
indicate  a happy-go-lucky,  daredevil,  carefree,  act- 
ing-on- the- spur-of-the-moment  disposition.  These 
people  make  decisions  quickly,  enjoy  competition,  and 
change  easily  from  one  task  to  another.  The  decision 
to  act  or  change  is  quick  regardless  of  whether  the 
person  moves  slowly  or  rapidly  (Active),  or  enjoys  or 
dislikes  strenuous  projects  (Vigorous),  A person  who 
doggedly  "hangs  on"  when  acting  or  thinking  is  typical- 
ly low  in  this  area, 

4,  Dominant  (D) , People  scoring  high  on  this 
factor  think  of  themselves  as  leaders,  capable  of 
taking  initiative  and  responsibility,  They  are  not 
domineering,  even  though  they  have  leadership  abil- 
ity, They  enjoy  public  speaking,  organising  social 
activities,  promoting  new  projects,  and  persuading 
others.  They  are  the  ones  who  would  probably  take 
charge  of  the  situation  in  case  of  an  accident. 


5,  Stable  (E  for  emotionally  stable).  Persons 
who  have  high  scores  in  this  trait  usually  are  cheer- 
ful and  have  an  even  disposition.  They  can  relax  in  a 
noisy  room,  and  they  remain  calm  In  a crisis.  They 
claim  that  they  can  disregard  distractions  while  work- 
ing. They  are  not  irritated  if  interrupted  when  con- 
centrating, and  they  do  not  fret  about  daily  chores. 

They  are  not  annoyed  by  leaving  a task  unfinished  or  by 
having  to  finish  it  by  a deadline. 

6,  Sociable  (8).  Persons  high  in  this  trait 
enjoy  the  company  of  others,  make  friends  easily,  are 
sympathetic,  cooperative,  agreeable  in  their  rela- 
tions with  people.  Strangers  readily  tell  them  about 
personal  troubles, 

7,  Reflective  (R).  Persons  high  in  this  trait 
like  meditative  and  reflective  thinking.  They  enjoy 
theory  rather  than  practice.  These  people  are  usually 
quiet,  like  to  work  alone,  and  enjoy  tasks  which  re- 
quire accuracy  and  fine  detail.  They  often  take  on 
more  than  they  can  realistically  accomplish  and 
would  rather  plan  a job  than  actually  carry  it  out 
themselves,  ^ 

The  third  and  final  phase  of  the  program  for 
developing  selection  criteria  for  white  room  personnel 
involved  the  validation  of  the  aptitude  and  personality 
test  scores  against  actual  work  performance.  In  other 
words,  by  correlating  test  performance  with  work 
performance,  using  appropriate  statistical  techniques, 
we  were  able  to  determine  which  tests  were  predictive 
of  success  for  a particular  job.  To  perform  such  val- 
idation studies,  however,  it  was  necessary  to  have  a 
measure  of  work  performance.  Two  such  measures 
were  utilized.  One  was  in  the  form  of  objective  pro- 
duction records  indicating  quantities  produced,  number 
of  items  rejected,  number  of  items  produced  per  unit 
time,  etc.  The  other  was  in  the  form  of  supervisors' 
ratings  consisting  of  a numerical  appraisal  of  the 
worker's  performance  on  a number  of  distinct  work 
performance  factors. 

Although  no  attempt  will  be  made  in  this  paper 
to  present  the  specific  test  batteries  or  personality 
profiles  associated  with  success  on  the  white  room 
jobs  studied,  a number  of  general  findings  are  worthy 
of  mention.  Perhaps  the  most  significant  finding  is  the 
fact  that  the  nature  of  most  jobs  actually  change  when 
they  are  performed  in  a white  room  setting.  This  was 
evident  both  from  the  job  analyses  performed,  and 
from  the  fact  that  the  specific  test  batteries  predictive 
of  success  in  performing  jobs  in  the  white  room  were 
different  from  those  predictive  of  success  in  perform- 
ing the  same  jobs  in  conventional  factory  settings.  Of 
special  importance  in  this  connection  was  the  data  ob- 
tained from  the  job  analyses.  These  clearly  revealed 
the  impact  which  the  special  white  room  requirements 
impose  on  the  jobs  performed.  For  example,  the  em- 


127 


phasis  on  quality  rather  than  quanitity  completely 
changed  the  relative  importance  assigned  to  such  fac- 
tors as  speed,  accuracy,  visual  acuity,  manual  dex- 
terity, motor  coordination,  etc.  In  other  words,  each 
job  changed  as  a function  of  the  changes  in  the  skills 
required,  and  the  degree  to  which  these  skills  were 
needed  for  a particular  job.  So  far  as  personality  fac- 
tors are  concerned,  it  was  found  that  in  general,  the 
individuals  best  suited  for  white  room  work  generally 
obtain  scores  which  ranged  as  follows  on  the  seven 
factors  of  the  Thurstone  Temperament  Schedule: 

1.  High  in  (E)  Stable 

2.  Average  in  (A)  Action,  (V)  Vigorous,  (S) 
Sociable 

3.  Low  in  (I)  Impulsive,  (D)  Dominant,  (R) 
Reflective 

Individuals  whose  scores  do  not  fall  within  these 
broad  ranges  would  generally  find  the  adjustment  dif- 
ficult and  the  atmosphere  oppressive. 

The  recommendations  for  white  room  selection 
generated  by  the  study  are  as  follows: 

1.  Special  selection  criteria  for  skill  must  be 
developed  for  choosing  white  room  personnel.  This  is 
so  since  white  room  procedures  materially  alter  the 
skill  requirements  of  similar  jobs  performed  outside 
the  white  room.  The  paradigm  for  developing  these 
skill  criteria  have  been  described  above.  It  basically 
consists  of: 

a)  performing  a job  analysis  of  the  criti- 
cal white  room  functions 

b)  administering  a wide  range  of  aptitude 
tests  to  white  room  incumbents 

c)  correlating  the  aptitude  test  scores 
against  white  room  performance  measures  such  as 
production  records  and  supervisors’  ratings 

d)  deriving  special  aptitude  test  batteries 
predictive  of  success  for  each  of  the  critical  white 
room  jobs 

It  should  be  noted  that  the  specific  white  room 
aptitude  test  batteries  which  the  writer  derived  are 
not  presented  here  simply  because  the  nature  of  these 
jobs  will  generally  be  different  for  each  facility.  This 
is  so  because  the  specific  reliability  requirements  of 
each  project  differs  and,  as  such,  are  reflected  in  the 
manufacturing  process,  production) procedures,  and 
ultimately  in  the  jobs  to  be  performed.  The  need  for 
a test  development  program  in  each  ease,  however,  is 
generated  by  the  fact  that  high  reliability  equipment 


can  only  be  produced  by  workers  whose  performance 
is  highly  reliable, 

2,  Even  if  a worker  has  the  requisite  skills  to 
perform  reliably  in  a white  room  setting,  there  is  no 
guarantee  that  he  will  unless  he  possesses  the  neces- 
sary personality  traits  fori  making  a suitable  adjust- 
ment to  this  type  of  environment.  For  this  reason, 
skill  criteria  must  be  supplemented  with  appropriate 
personality  criteria  for  valid  selection.  Here,  how- 
ever, the  writer  feels  that  he  can  be  more  specific  in 
making  recommendations.  This  is  due  to  the  fact  that 
there  are  strong  similarities  in  the  general  character- 
istics of  most  white  rooms  regardless  of  the  specific 
jobs  performed  therein,  which  make  the  requirements 
for  personal  adjustment  highly  similar.  Accordingly, 
the  ideal  white  room  personality  seems  to  be  an  indi- 
vidual who  has  a high  degree  of  emotional  stability,  a 
moderate  need  for  general  activity,  physical  activity 
and  sociability,  and  a relatively  low  need  to  act  impul- 
sively, lead  others,  or  engage  in  meditative  or  reflec- 
tive activity.  The  Thurstone  Temperament  Schedule, 
mentioned  earlier,  appears  to  be  ideally  suited  to 
measure  these  traits  especially  in  view  of  the  fact  that 
its  items  are  couched  in  language  which  is  well  within 
the  reading  level  of  the  average  white  room  production 
worker, 

3,  A minimum  of  two  years  of  high  school 
should  be  required  of  white  room  employees  since  there 
is  a strong  emphasis  in  most  cases  on  understanding 
written  and  verbal  instructions,  both  during  training  and 
on  the  job. 

4,  Some  white  room  jobs  are  better  performed 
by  one  sex  than  the  other.  Generally,  the  writer  has 
found  females  better  suited  for  fine  assembly  tasks 
involving  small  parts,  while  males  seem  to  perform 
better  on  large  assemblies. 

While  it  is  theoretically  true  that  both  sexes  can 
be  trained  to  perform  each  job  equally  well,  the  normal 
cultural  influences  provide  differential  experience  for 
men  and  women.  It  is  therefore  wise  to  take  advantage 
of  these  differences  in  staffing  the  white  room. 

SPECIAL  PROBLEMS  ASSOCIATED 
WITH  GLOVE-HANDED 
WHITE  ROOM  ASSEMBLY  TASKS 

In  most  white  room  production  facilities  which 
have  a requirement  to  produce  very  sensitive,  highly 
reliability  missile  and  space  equipment,  assemblers 
are  required  to  wear  sheer,  lightweight  gloves  while 
performing  their  jobs.  These  gloves  are  worn  in  order 
to  reduce  the  probability  of  contaminating  the  equip- 
ment with  dust  particles  and  organic  substances  which 
adhere  to  or  are  generated  by  bare  skin.  The  need  for 
these  gloves  poses  a number  of  questions,  however, 
for  production  management.  The  questions  posed  are 
as  follows: 


128 


1*  What  effect  do  gloves  have  on  finger 
dexterity? 

2.  In  what  way  is  production  output  affected 
by  the  use  of  gloves  ? 

3.  Are  gloves  with  plastic  palms  and  fingers 
better  than  all-nylon  gloves? 

4.  Are  special  aptitude  tests  or  procedures 
required  for  measuring  glove-handed  finger  dexterity? 

An  experiment  was  therefore  designed  to  provide 
answers  to  some  of  these  questions. 

The  experiment  compared  the  performance  of 
two  groups  of  individuals  having  identical  aptitude  for 
bare-handed  finger  dexterity  on  a test  for  this  aptitude 
where  one  of  the  groups  took  the  test  with  gloves  and 
the  other  without  them.  Consequently,  the  difference 
in  performance  of  the  groups  if  any,  could  be  attrib- 
uted only  to  the  effect  of  wearing  gloves. 

The  results  of  the  experiment  clearly  indicated 
a significant  loss  in  finger  dexterity  and  a consequent 
decrease  in  output  when  gloves  were  used.  Further- 
more there  was  a predicted  loss  of  30%  in  output  for 
tasks  of  an  assembly  nature. 

An  experiment  identical  to  the  one  described 
above  but  comparing  all-nylon  gloves  with  gloves  having 
plastic  palms  and  fingers  was  also  performed.  The  re- 
sults of  this  experiment  showed  that  the  plastic  material 
does  not  facilitate  finger  dexterity  and  is  in  no  way  su- 
perior to  60  denier  nylon. 

This  study  therefore  leads  to  the  following  rec- 
ommendations: 

1*  Since  even  sheer,  lightweight  gloves  sig- 
nificantly reduce  finger  dexterity,  a very  careful  analysis 
should  be  made  to  determine  whether  or  not  their  use  by 
white  room  personnel  is  absolutely  essential  for  the  pur- 
pose of  reliability.  If  the  decision  to  use  gloves  is  made, 
a decrement  in  the  output  by  assemblers  is  to  be  expected, 


2.  Although  there  is  no  significant  difference 
between  all-nylon  gloves  and  gloves  with  plastic  palms 
and  fingers,  the  former  type  of  glove  is  preferred  be- 
cause it  is  easier  to  launder  and  does  not  peel  or  dis- 
integrate as  do  the  plastic  ones. 

3*  Since  a strong  aptitude  for  glove-handed 
finger  dexterity  is  essential  in  white  rooms  where 
wearing  gloves  is  a requirement,  the  conventional  finger 
dexterity  tests  used  for  selection  purposes  should  be 
administered  with  the  testee  wearing  gloves.  This 
will  provide  a more  direct  measure  of  aptitude  tor  glove- 
handed activities. 


TRAINING  WHITE  ROOM  PERSONNEL 

It  has  already  been  pointed  out  elsewhere  that 
white  room  management  often  naively  assumes  that  most 
of  the  problems  inherent  in  working  in  a white  room 
environment  can  be  solved  in  a number  of  training  ses- 
sions. The  preceding  discussion,  however,  should  serve 
to  emphasize  the  fact  that  some  individuals,  regardless 
of  training,  would  not  qualify  for  white  room  work  by 
reason  of  aptitude,  personality,  or  both.  Training  should 
therefore  be  thought  of  as  useful  in  preparing  the  qualified 
worker  for  his  job  in  the  white  room  rather  than  for  qual- 
ifying an  unqualified  individual.  In  other  words,  training 
cannot  serve  as  a substitute  for  a good  screening  and 
selection  program. 

It  is  only  after  suitable  selection  criteria  have 
been  used  to  choose  the  future  white  room  occupants 
that  a sound  training  program  can  be  developed.  Broadly 
speaking,  such  a program,  to  be  effective,  should  con- 
sist of  two  phases — namely  orientation  training  and  tech- 
nical training.  Orientation  training  should  provide: 

1.  A thorough  explanation  of  the  special  rules, 
regulations,  and  procedures  each  worker  is  required 
to  follow  and, 

2„  the  rationale  for  requiring  strict  adherence 
to  these  regulations. 

The  importance  of  this  phase  of  white  room  train- 
ing cannot  be  overemphasized  because  it  provides  the 
very  basis  for  each  worker’s  future  attitude  toward  con- 
forming both  to  apparently  rigid  standards  of  behavior 
and  to  a strange, unfamiliar  physical  setting.  Conse- 
quently, it  is  only  by  providing  him  with  a clear  under- 
standing of  the  reasons  for  these  standards  and  their 
implications  for  reliability  that  he  can  develop  positive 
attitude  toward  strict  adherence  to  white  room  procedure. 

Technical  training,  on  the  other  hand,  should 
be  primarily  concerned  with  teaching  each  white  room 
employee  the  specific  technical  skills  and  knowledge 
which  he  will  need  to  perform  his  job  adequately.  Em- 
phasis should  be  given  during  this  phase  of  training  to 
those  aspects  of  the  job  which  are  made  unique  due  to 
the  special  white  room  requirements  imposed  upon  them. 
Here  again,  every  opportunity  should  be  taken  to  pro- 
vide the  worker  with  the  rationale  for  employing  the 
special  techniques  and  procedures  which  he  will  be  re- 
quired to  adopt.  Such  explanations  are  essential  if  white 
room  personnel  are  to  develop  a genuine  willingness  to 
relinquish  old,  familiar  work  habits  for  unfamiliar,  new 
ones. 

Ideally,  training  should  take  place  in  an  environ- 
ment as  nearly  similar  as  possible  to  the  one  in  which 
the  actual  work  will  be  performed.  Simulating  the 
white  room  conditions  during  training  is  therefore  of 
special  importance  in  effecting  a suitable  transition 


12* 


from  training  to  the  real  work  situation.  Such  simula- 
tion can,  of  course,  be  easily  accomplished  if  a special 
area  of  the  white  room  is  set  aside  for  training  purposes 
only,  and  if  the  trainees  are  required  to  dress  and  behave 
according  to  white  room  procedure.  Where  the  aim  of 
training  is  to  teach  the  trainee  to  use  special  tools  or 
to  use  a tool  in  a special  way,  the  tools  and  the  units 
upon  which  they  are  to  be  used  should,  if  possible,  be 
identical  with  those  to  be  found  on  the  job. 

It  should  be  noted  that  on-the-job  training  is  not 
recommended  as  a part  of  white  room  training  since 
this  technique  permits  the  worker  to  learn  his  job  on 
equipment  which  is  being  produced  for  operational  use. 
Such  procedure  is  antithetical  to  high  reliability  and 
should  be  avoided.  Instead,  formal  training,  under 
simulated  conditions,  should  be  employed  to  bring  each 
worker  to  the  point  where  he  can  take  his  place  as  a 
reliable  contributor  to  the  manufacturing  process. 

Since  it  is  not  always  obvious,  it  is  necessary  to 
point  out  that  training  not  only  has  an  effect  upon  the 
reliability  of  human  performance  but  also  upon  condi- 
tions of  morale  and  motivation.  The  reason  for  this 
becomes  clear  when  we  consider  the  fact  that  a worker 
who  is  insufficiently  prepared  for  his  job  cannot  hold 
a very  favorable  attitude  toward  his  work  or  his  em- 
ployer. In  fact,  because  he  recognizes  this  depriva- 
tion, he  is  very  likely  to  resent  management  for  failing 
to  provide  him  with  the  necessary  wherewithal  to  under- 
stand and  perform  his  job  to  the  best  of  his  capacity. 

As  a consequence,  he  is  often  prone  not  to  put  forth  his 
best  effort, 

A sound  training  program  is  therefore  essential 
to  human  reliability  since  it  has  a profound  effect  both 
upon  worker  skills  and  attitudes, 

WHITE  ROOM  MORALE  AND  MOTIVATION 

The  level  of  white  room  morale  and  motivation 
is  a function  of  so  many  factors  that  it  is  often  amusing 
to  find  a superficial  attempt  to  control  it  by  means  of 
Mpep  talks' % newsletters,  posters,  special  badges,  and 
bulletin  boards.  While  such  techniques  can  be  benefi- 
cial, they  are  inadequate  to  materially  affect  the  basic 
psychology  of  the  white  room  workers.  Much  more  in- 
fluential in  this  respect  are  the  selection  and  training 
programs  which,  if  adequate,  go  a long  way  toward 
eliminating  the  white  room  “misfit1  * and  his  demoral- 
izing effect  upon  those  around  him. 

To  best  describe  the  complexity  of  factors 
which  contribute  to  conditions  of  poor  morale  and  mo- 
tivation, a specific  example  will  beicitedfrom  the  au- 
thor's experience  as  a white  room  consultant.  Con- 
sider for  example  the  following  complaints  made  to  the 
writer  by  male  assembly  workers  scheduled  for  white 
room  employment,  whose  morale  and  motivation  were 
at  an  extremely  low  ebb  in  anticipation  of  their  new  as- 


signment, They  complained  that; 

1,  Dressing  and  undressing  was  a nuisance 
and  that  the  procedure  was  extremely  cumbersome. 

2,  Adherence  to  the  strict  procedures  was  too 
much  of  a strain, 

3,  The  nature  of  the  work  was  tedious  and 
monotonous, 

4,  The  chances  for  advancement  were  either 
absent  or  extremely  limited, 

5,  The  pay  scale  did  not  seem  to  be  commen- 
surate with  the  special  work  requirements  imposed  by 
the  facility. 

6,  The  requirement  to  eat  lunch  in  a special 
area  within  the  white  room  itself  would  generate  a 
feeling  of  being  in  captivity, 

7,  The  sterile  condition  of  the  white  room  was 
a health  hazard. 

8,  The  protective  hood  would  cause  the  hair  to 
fall  out. 

9,  The  restrictions  upon  mobility  within  the 
white  room  were  too  confining, 

10,  The  requirement  to  work  with  gloves  made 
the  job  more  difficult, 

11,  The  prohibition  against  bringing"  personal 
tools  into  the  white  room  increased  the  difficulty  of  the 
job, 

12,  The  extreme  lighting  conditions  caused 
eyestrain. 

A careful  analysis  of  the  situation  revealed  that 
these  individuals  had  not  been  chosen  for  their  jobs  on 
the  basis  of  valid  selection  criteria.  As  a matter  of 
fact,  high  intelligence  and  strong  ambition  were  the 
principal  criteria  used  for  selection.  That  these  stand- 
ards were  inappropriate  can  be  gleamed  from  the  work- 
ers1 concern  with  the  monotony  of  the  work,  the  limit- 
ed chances  for  advancement,  and  the  desire  for  higher 

pay. 

The  situation  was  further  complicated  by  an  in- 
adequate training  program  which  failed  to  provide  the 
men  with  a suitable  rationale  for  the  special  white  room 
procedures.  This  partially  accounts  for  their  unaccept- 
ing attitude  toward  the  requirements  for  special  white 
room  clothing,  the  use  of  gloves,  the  prohibition  a- 
gainst  using  personal  tools,  and  the  strictness  of  white 
room  regulations. 


130 


It  will  be  noted  that  some  concern  was  express- 
ed with  respect  to  health  factors  * Here  again,  a good 
indoctrination  program  could  have  helped  dissipate  much 
of  the  fears  associated  with  excessively  sterile  white 
room  conditions,  falling  hair,  and  eyestrain* 

The  requirement  to  eat  a lunch  in  a special 
area  within  the  white  room  itself  was  an  unnecessary 
restriction*  Although  this  requirement  is  not  uncom- 
mon, it  could  not  be  easily  justified  to  the  workers  on 
the  basis  of  reliability*  Consequently,  the  feeling  of 
being  a ’’captive  empLoyeeTT  had  some  basis  in  fact, 
with  the  result  that  a good  deal  of  resentment  was  gen- 
erated because  of  it* 

During  the  course  of  the  analysis  it  was  dis- 
covered that  one  of  the  employees  possessed  a morbid 
fear  of  enclosed  places  (claustrophobia)*  This  individ- 
ual, obviously  unsuited  for  white  room  employment, 
may  have  conveyed  his  fear  to  others  around  him*  Per- 
haps this  accounts  for  the  unusual  preoccupation  of  a 
number  of  employes  with  the  confining  nature  of  the 
work  environment* 

If  we  review  the  factors  which  contributed  to 
poor  morale  and  motivation  in  our  example,  we  find 
the  following: 

1*  The  use  of  inappropriate  selection  criteria* 

2*  The  failure  of  the  training  program  to  prop- 
erly indoctrinate  white  room  trainees* 

3*  The  placement  of  an  undesirable  restric- 
tion on  employee  mobility  during  the  lunch  hour* 

4*  The  failure  to  screen  applicants  for  emo- 
tional disturbances  which  are  detrimental  to  effective 
white  room  performance. 

Because  it  is  typical,  the  specific  example 
cited  in  this  section  has  been  used  to  illustrate  the 
principal  determinants  of  white  room  morale  and  mo- 
tivation* It  will  therefore  serve  to  concretise  the  gen- 
eral recommendations  which  follow: 

1,  Valid  selection  criteria  and  effective  train- 
ing are  critical  to  the  development  and  maintenance  of 
favorable  morale  and  motivation  conditions*  Their 
importance  has  already  been  fully  discussed* 

20  All  restrictions  on  human  activity  or  mobil- 
ity should  be  avoided  unless  they  are  absolutely  nec- 
essary for  reliability.  Unless  this  principle  is  followed, 
morale  and  motivation  will  suffer  due  to  a build-up  of 
resentment  against  the  unreasonable  encroachment  on 
personal  freedom. 


3*  Techniques  and  procedures  should  be  de- 
veloped for  reducing  the  monotony  produced  by  work- 
ing continuously  in  a homogeneous  environment.  One 
such  technique  would  be  to  permit  white  room  employ- 
ees to  eat  lunch  outside  the  white  room. 

4*  All  persons  considered  for  white  room  work 
work  should  be  screened  by  the  plant  physician  to  in- 
sure the  absence  of  severe  emotional  problems.  Es- 
pecially harmful  to  white  room  morale  are  individ- 
uals who  possess  strong  tendencies  toward  claustro- 
phobia (fear  of  enclosed  or  confined  places)  and  hypo- 
chondria (preoccupation  with  health).  The  personal- 
ity tests  used  during  selection  should  also  serve  to 
eliminate  emotionally  unstable  applicants. 

In  conclusion,  the  writer  would  like  to  point  out 
that  he  has  dealt  in  this  section  with  factors  which  he 
considers  to  be  intrinsic  to  morale  and  motivation. 

If  these  are  optimized  there  may  be  very  little  need  to 
rely  on  anything  else. 

REFERENCES 

1,  USAF  Technical  Manual  T,  O.  00-25-203 
Standard  Functional  Criteria  for  Design  and  Operation 
of  Clean  Rooms,  March  1961* 

2.  Guide  to  the  Use  of  General  Aptitude  Test 
Battery,  Section  HI:  Development,  United  States  Depart- 
ment of  Labor,  Bureau  of  Employment  Security,  July 
1953. 

3*  Examiner's  Manual  for  the  Thurstone  Tem- 
perament Schedule,  2nd  Edition. 


131 


RESOURCES  TO  SUPPORT  A MAN-MACHINE  SYSTEM 


E.  W.  Pickrel,  Ph.D. 

_ Life  Sciences  Section 

j Missiles  and  Space  Systems 
^Douglas  Aircraft  Company,  Inc. 
Santa  Monica,  California 

W.  W.  Haythorn,  Ph.D. 

Rand  Corporation 
Santa  Monica,  California 


SUMMARY 


This  paper  describes  a procedure  for  estima- 
ting direct  maintenance  personnel  requirements. 
A model  is  presented  for  gathering  information. 
A sample  problem  is  used  to  describe  manipula- 
tion of  the  information  to  derive  a manning 
document . 


INTRODUCTION 


Needs  for  early  support  requirement  estimates 
are  well  known.  Personnel  plans  must  be  made 
well  in  advance  of  weapon  system  acquisition 
to  get  the  necessary  budget  approval;  develop 
and  construct  training  procedures,  equipment 
and  facilities;  select,  recruit  and  train 
personnel;  and  determine  the  requirements  for 
and  construct  housing  and  other  personnel  facil- 
ities. Some  initial  estimates  of  total  manning 
numbers  generally  must  be  made  at  least  three 
or  more  years  before  system  acquisition,  and 
the  additional  details  of  skill  types  and 
levels  at  least  two  years  in  advance. 

An  objective  stated  explicitly  in  many  person- 
nel requirement  estimates  growing  out  of  GORs, 
SORs,  manufacturer's  proposals  and  the  like, 
is  to  minimize  personnel  requirements.  This 
objective  is  considered  wrong.  The  objective 
advanced  here  is  to  increase  an  effectiveness- 
to-cost  ratio. 

Assumptions 

A decentralized  missile  force  with  a central 
maintenance  area  will  be  used  as  an  example 
when  illustrating  the  effectiveness -to-cost 
ratio,  but  a subtender  with  subs  is  equally 
appropriate.  A series  of  assiHnptions  are  made. 

a.  Launch  capability  can  be  increased  by 
either  placing  more  maintenance  capabil- 
ity at  the  origin  of  demands  (buying 
more  maintenance  capability)  or  buying 
more  missiles. 


b.  Centralization  of  resources  so  they 
serve  multiple  locations  provides 
greater  opportunity  for  resource  utili- 
zation but  the  travel  time  reduces 
weapon  responsiveness  and  increases  mis- 
sile downtime. 

c.  Missile  system  are  quick  reaction 
weapons.  Maintenance  capability  at  a 
central  support  area  is  useless  after 
the  start  of  hostilities. 

d.  Resources  may  be  ranked  by  potential 
rate  of  call,  as  a guidance  technician 
may  have  a higher  expected  rate  of  call 
than  an  air-frame  repairman.  In  this 
case,  the  value  of  each  additional  man 
placed  at  .the  origin  of  requirements 
diminishes  with  each  successive  assign- 
ment. Eventually  the  manning  of  an 
additional  position,  and  its  potential 
return  in  launch  capability,  costs  more 
than  a comparable  return  from  purchase 
of  another  missile.  At  this  point  the 
cost  of  manning  an  additional  position 
is  considered  greater  than  its  potential 
return  through  increased  launch  capa- 
bility. Purchase  of  more  missiles  be- 
comes the  efficient  approach  to  increase 
in  launch  capability. 

Procedure 


All  resources  are  tentatively  located  at  the 
central  area  and  made  available  through  spe- 
cialist dispatch  to  the  source  of  demands.  To 
compute  the  expected  alert  levels  with  non- 
manned  launch  complexes,  the  expected  demands 
are  multiplied  by  the  times  required  to  meet 
them  plus  the  travel  time  from  the  central 
maintenance  area,  and  this  product  is  sub- 
tracted from  the  total  missile  time  available. 
This  residual  number,  divided  by  the  total  mis- 
sile time  available,  yields  the  percentage  of 
missiles  normally  on  alert  if  the  number  of 


133 


TABLE  1 

LIFE  OF  A SYSTEM 


134 


SUPPORT  RESOURCE  INFORMATION  l-IODEl 


Q 


135 


of  maintenance  men  assigned  to  the  launch  com- 
plex is  zero.  (This  is  convert able  to  expected 
launch  success  by  multiplying  the  alert  per- 
centage by  missile  launch  reliability.  For 
example.,  if  expected  alert  is  70$  and  launch 
reliability  is  50$.,  expected  launch  success  is 
35  St.) 

The  first  position  filled  at  the  source  of  de- 
mands is  that  -which  makes  the  greatest  contri- 
bution to  launch  capability  (the  criterion).  The 
cost  of  manning  this  position,  including  the 
requirements  for  crew  rotation,  equipment,  and 
additional  facilities,  is  compared  to  the  cost 
of  an  equivalent  increase  through  purchase  of 
another  missile.  When  manning  the  position  is  a 
more  efficient  approach,  the  assignment  is 
accomplished. 

The  residual  of  tasks  is  reaggregated  to  form 
new  positions  and  that  position  at  the  source 
of  demands  which  would  make  the  second  greatest 
contribution  is  filled.  The  cost  of  maiming 
this  position  is  compared  to  the  cost  of  an 
equivalent  increase  through  purchase  of  another 
missile.  When  manning  the  position  is  a more 
efficient  approach,  the  assignment  is  accom- 
plished. The  iteration  is  continued,  manning 
positions  at  the  source  of  demands  until  the 
cost  of  an  equivalent  increase  through  purchase 
of  another  missile  is  the  more  efficient  approach. 
This  approach  to  resource  allocation,  this  trade- 
off between  cost  of  a man  and  his  contribution 
to  launch  capability,  is  an  insurance  alloca- 
tion procedure.  It  in  no  way  reflects  the 
common  objectives  of  minimizing  manpower  re- 
quirements or  maximizing  manpower  utilization. 

Maintenance  manning  for  the  central  support 
area  is  determined  by  first  estimating  total 
workload  expected  for  the  organization  and 
assigning  as  much  of  it  as  possible  to  insur- 
ance resources  already  allocated  at  the  source 
of  demands . Then  the  additional  men  required 
to  accomplish  the  residual  workload  are  assigned 
to  the  centralized  maintenance  area.  To 
illustrate  the  procedure  we  now  would  like  to 
work  through  an  example  problem  with  you. 

THE  PROBLEM 

How  many  of  what  kinds  of  resources  are  needed 
where  and  when  to  support  a missile  or  a man- 
machine  system?  This  is  an  example  support 
allocation  problem.  Look  at  Table  1.  This 
presents  a time  phasing  of  the  life  of  a system. 
Tmagine  yourself  at  point  A.  A word  picture  of 
need  for  a new  system  has  been  presented  in 
such  nebulous  terms  as  "We  need  a missile  type 
of  weapon."  The  ideas  at  point  B,  (we  need  an 


1CBM,  perhaps  several  per  target),  of  a system 
to  meet  these  needs  provide  a highly  abstract 
picture  of  system  composition.  Imagine  your- 
self being  asked,  at  this  point  in  system 
development,  to  specify  the  resources,  the 
personnel,  spare  parts,  and  equipment  for 
support  of  the  system. 

Imagine  yourself  at  point  D,  and  being  asked 
the  same  questions.  Now  a sample  system  is 
available.  You  can  be  far  more  accurate  in 
your  description  of  support  needs  if  you  accu- 
mulate the  right  kinds  of  information. 

This  paper  describes  an  information  model  for 
use  at  the  point  I)  stage  when  estimating  re- 
sources to  support  a system.  The  inputs  can 
be  identified  within  exhibits  and  requirements 
present  in  today* s Air  Force  contracting 
structure. 

Resource  requirements  will  be  computed  for  a 
sample  problem.  The  model  assumes  availabil- 
ity of  information  from  earlier  stages  such  as 
A,  B,  and  C in  Table  1.  Information  in  the 
model  has  been  generalized  for  application  to 
these  other  stages  of  system  life. 

AN  INFORMATION  MODEL 

Table  2 is  a schematic  illustration  of  the 
information  model  or  basic  data  package.  The 
numbers  and  location  of  resources  to  support 
a system  can  be  determined  by  analyzing  the 
characteristics  of  the  support  unit.  The 
support  unit  is  a lowest  common  denominator  for 
support  at  a given  location.  Call  this  one  a 
stable  platform  in  the  guidance  system. 

Support  Unit 

You  must  identify  support  requirements  at  the 
module,  component,  or  unit  level  that  support 
will  occur.  This  level  of  detail  will  vary 
with  location;  limiters  will  be  introduced 
later. 

Describe  the  system-oriented,  functional 
characteristics  of  the  unit.  If  its  uncor- 
rrected  failure  would  abort  the  missile,  there 
is  need  for  immediate  corrective  maintenance. 
This  kind  of  demand  imposes  a high  time  stress 
on  the  resource  structure.  Identify  these 
critical-task  characteristics.  How  frequently 
will  the  demands  for  resources  arise? 

Kinds  of  Tasks  Imposed  by  Support  Units 

Identify  resource  requirements  imposed  by  each 
kind  of  task.  The  information  model  shows  task 


136 


Maintenance  Tasks  Maintenance  Tasks 


CD 

0)  > 

1 1 

4 

o 

o 

O 

i ■ 4 

Cal. 

o 

o 

o 

O 

o 

C 

© 

O 

£ 

0 

O 

o 

4 

4 ■ 

4* 

o 

Inspec. 

4 

4 

o 

4- 

4 

G 

o 

Cal. 

o 

o 

O 

o 

•H 

•P 

O 

< 

H 

CO 

•H 

*8 

§ 

PS 

Repair 

o 

o 

o 

O 

° 1 

Remove 

4 

4 

f 

+* 

4 

Diagnosis 

Man. 

+* 

O 

f 

o 

+ 

& 

s: 

o 

0 

a 

+ 

o 

+* 

O 

i — 1 

cO 

o 

*r-i 

-P 

•H 

U 

O 

t 

o 

± 

4 

+* 

o 

Support 

Unit 

f — i 

Oi 

cn 

-4 

lf\ 

137 


Code:  + Yes 


CORRECTIVE  MAINTENANCE  TASKS 


* 

<r\ 

Lf\ 

•HI 

• ft 

• • 

rl 

Cr 

Cfl 

CM 

CM 

O 

o 

O 

o 

Jh 

-P 

*r4 

<r\ 

C^i 

O 

(0 

** 

* * 

< 

P* 

£>■ 

tr\ 

r—i 

CO 

Q) 

cd 

CM 

o 

-4 

O 

■H 

% 

§ 

od 

a> 

> 

CM 

ir\ 

CM 

Q 

•• 

•* 

£■ 

LTN 

L/\ 

iH 

-4 

H 

CM 

o 

CM 

• 

o 

0) 

S 

X 

m 

; 

ta 

r\ 

i 

CO 

■H 

CM 

H 

CM 

<0 

3 

• ■ 

H 

CM 

£ 

r- 

r^- 

CM 

o 

CM 

O 

u) 

■8 

-P 

o 

0 

fi* 

>> 

I 

O* 

£ 

■H 

C0 

.002 

,0022 

,0002 

ff 

0 

* 

u 

Cm 

D 

-p 

u 

o 

Pi 

*P 

§• 

a 

1-\ 

<r\ 

-4 

CO 

:=> 

138 


Kind  of  Resource  Designator.  Analogous  to  an  AFSC. 

Time  to  accomplish  task.  Two  15-minute  periods  in  the  example. 


RESOURCE  TABULATION 


Cal 

CO 

O 

8 

• 

-4 

co 

8 

• 1! 

il  S 

P,  W 

W 

Repair 

.002 

1 — 1 
02 

lemove 

.0002 
1 

uo 

•H 

Q 

.000$ 

Cal 

2P  = .0012 
2N  = 2 

ir\ 

-4 

O 

Repair 

.0003 

Remove 

6000* 

Diag 

027 

Cal 

.002 

1 — 1 
0O 

o 

o 

• 

.0166 
= 7 

Repair 

.0022 

v£> 

-4- 

8 

• 

Remove 

ii 

II 

a.  M 

H 

Diag 

.002 

.0002 

•n 

a 

c. 

a 

i 

Frequency  1 
of  Failure 

— 

.002 

.0022 

.0002 

vO 

-4 

8 

• 

co 

o 

o 

o 

• 

1 — 1 
co 
O 

o 

• 

6000* 

io 

02 

8 

• 

vO 

CO 

o 

o 

• 

Support 

rH 

CO 

-4 

On 

17 

28 

cv 

co 

67 

92 

139 


separation  into  corrective  (malfkmction-generated) 
and  preventive  maintenance  tasks. 

Preventive  Maintenance*  The  preventive  main- 
tenance tasks  generally  are  not  pursued  during 
a battle.  The  time  when  resources  mil  meet 
these  demands  can  be  controlled  by  management 
without  a change  in  missile  readiness * without 
an  additional  loss  in  missile  alert  time. 

Location  of  resources  to  meet  these  require- 
ments is  determined  by  workload*  a resource 
utilization  criterion.  The  category  includes 
inspection,  a symptom-seeking  act  frequently 
accomplished  for  a group  of  support  units  at 
a given  moment*  scheduled  calibration  or  peri- 
odic alignment  to  desired  standards*  a servicing 
cluster  which  includes  cleaning  and  lubrication* 
and  scheduled  removal  of  items  for  overhaul  or 
condemnation. 

Corrective  Maintenance.  The  time  that  mal- 
functions will  occur  is  generally  not  controll- 
able by  management.  The  result  of  malfunctions 
is  a loss  in  missile  alert*  missile  readiness. 
Identify  resources  and  time  required  for  cor- 
rective maintenance  of  the  support  unit. 

Mechanical  diagnostic  equipment  isolates  mal- 
functions in  some  support  units.  Identify  the 
manual  assists  that  are  required.  Identify 
the  appropriate  corrective  action  and  resources 
necessary.  The  support  unit  per  se  may  be 
removed  and  replaced  at  the  using  location  or 
it  may  be  an  integral  part  of  a higher  assembly. 
When  within-unit  repair  is  appropriate*  identify 
the  environmental  and  resource  requirements. 
Calibration  or  alignment  following  the  corrective 
action  also  requires  resources  for  a given 
length  of  time.  Table  3 is  the  same  model  in 
tabular  form*  and  presents  another  important 
consideration. 

Some  support  units  are  critical;  correction  of 
malfunctions  in  these  support  units  would  in- 
crease the  number  of  missiles  launched.  Failure 
of  support  units  1*  3 or  4 would  cause  an  abort 
of  the  missile.  Their  corrective  maintenance 
tasks  are  marked  with  asterisks.  Resources  to 
accomplish  these  critical  tasks'  which  would  in- 
crease the  number  of  missiles  launched  in  time 
of  crisis*  are  described  with  greater  detail  in 
Table  4.  If  support  unit  number  1 malfunctions* 
a specialist  027  is  needed  for  2 units  of  time 
to  isolate  the  fault.  The  02  code  represents 
an  engine  mechanic;  the  7 is  his  skill  level. 

The  time  units  are  15 -minute  periods  in  this 
problem.  Specialist  215  spends  30  minutes  in 
removing  and  replacing  the  malfunctioning  unit. 

An  027  spends  45  minutes  realigning  the  system. 

The  use  of  different  specialists  in  support  of 


a single  unit  directs  attention  to  possible 
use  of  the  model  as  a carrier  of  task  data 
and  later  aggregating  it  into  positions.  The 
Expected  Frequency  of  Failure  column  lists  the 
number  of  times  this  unit  is  expected  to  fail 
and  generate  requirements  for  each  of  these 
tasks.  To  summarize*  the  table  describes: 

(a)  expected  frequency  each  support  unit  fails 
during  a launch  program*  (b)  kind  of  action 
necessary*  (c)  kind  of  resource  to  perform  it* 
and  (d)  time  necessary  to  accomplish  the  task. 
What  resources  are  needed  to  support  these 
possible  demands?  The  resource  information 
is  fragmented  by  support  unit  and  needs  aggre- 
gation by  kind  of  resource. 

Kinds  of  Resources  Required  to  Accomplish  Tasks 

Table  5 presents  a re-sorting  and  aggregation 
by  kind  of  resource.  All  tasks  in  the  launch 
criterion  category  to  be  accomplished  by  a 
specialist  kind  027  are  listed  here.  Their 
sum  is  presented  at  the  base  of  the  column. 

Only  seven  tasks  may  call  for  the  services  of 
specialist  027*  The  chance  of  call  during 
this  kind  of  program*  launch  preparation*  is 
.0166.  Most  of  the  time  these  resources  would 
be  idle.  Yet  there  is  a chance  of  two  or  more 
calls  for  a specialist  to  occur  simultaneously. 

Resources  are  assigned  tentatively  for  these 
critical  tasks  which*  by  definition*  they  can 
meet.  These  launch  critical  or  time-stress 
tasks  are  the  criteria  for  placing  resources 
at  the  source  of  demands.  A corollary  prob- 
lem is  accomplishment  of  non- critical  day-to- 
day  tasks.  These  are  assigned  until  either 
the  resources'  available  time  or  the  task 
pool  is  exhausted. 

AN  APPLICATION 


This  model  was  used  in  a simulated  I CBM 
setting  in  the  RAND  Logistics  Systems  Lab- 
oratory to:  (a)  yield  resource  allocation 

(man  and  support  equipment)*  (b)  estimate  the 
degree  they  were  utilized*  and  (c)  show  the 
relation  between  increasing  launch  crew  size 
and  operational  alert  and  launch  success.  We 
plan  to  use  the  model  in  estimating  maintenance 
requirements  for  Skybolt*  a Douglas  ALBM  for 
SAC  and  British  Aircraft. 


140 


ON  THE  APPLICATION  OF  LINEAR  PROGRAMMING  TECHNIQUES  TO  HUMAN  FACTORS  IN  SPACE  Wv^RAMS 


74 


Paul  A®  Young 
Sperry  Utah  Company 
Salt  Lake  City*  Utah 


This  paper  presents  a mathematical  model 
which  provides  optional  crew  task  scheduling® 

The  model  employs  linear  programming  techniques 
to  define  an  objective  function  to  be  optimized 
based  upon  individual  task  proficiencies*  A dis- 
cussion  of  the  definition  and  evaluation  of  pro- 
ficiency indices  preceeds  the  presentation  of  the 
assignment  model*  The  methods  used  to  solve  the 
proposed  model  are  not  discussed  because  they  are 
felt  to  be  beyond  the  scope  of  this  paper* 

li 

The  functional  representation  of  the  prob- 
ability of  mission  success,  or  reliability  of  a 
space  vehicle  is  defined  in  terms  of  two  implicit 
reliability  functions?  (l)  the  reliability  of  the 
equipment  and  (2)  the  reliability  or  proficiency 
of  man*  In  general  these  two  functions  are  not 
independent,  but  are  in  turn,  functions  of  each 
other®  Estimates  of  equipment  reliability  can  be 
made  through  the  use  of  testing  procedures  on  the 
equipment  and  statistical  models  to  evaluate  the 
data  from  the  tests®  The  evaluation  of  human 
proficiencies  can  be  made  in  much  the  same  way* 
Testing  procedures  consistant  with  objectives  can 
be  devised  and  statistical  models  consistant  with 
the  tests  applied* 

Once  these  reliabilities  or  proficiencies 
have  been  established  it  is  possible  to  optimize 
the  reliability  of  the  mission*  One  aspect  of 
this  optimization  is  to  optimize  crew  selection, 
scheduling,  and  task  assignment® 

Proficiency  Indices 
Jndj&es 

The  first  step  in  optimizing  human  profi- 
ciency is  the  assignment  of  a proficiency  index 
for  each  crew  candidate  for  each  expected  task® 
The  proficiency  index  is  defined  as  a number 
which  is  a measure  of  the  ith  man’s  capability  in 
the  jth  task®  This  number  would  be  assigned 
according  to  the  results  of  specific  tests  per- 
formed® 

The  processes  involved  in  the  testing  re- 
quire certain  observations  to  be  made  according 
to  some  statistical  model  and  that  the  data  be 
reduced  to  provide  summary  statements  appropriate 
to  the  investigation®  The  results  of  such  data 
often  conform  to  one  or  two  distinct  but  related 
types r those  pertaining  to  the  differences  and 
those  pertaining  to  the  consistencies  between 
variables®  The  form  of  the  statistics  is 
generally  the  ratio  of  two  variance  estimates, 
one  pertaining  to  the  controlled  variation  in  the 
tests  and  the  other  to  the  uncontrolled,  ©r 


sampling,  errors®  Two  statistics  which  are 
commonly  used  in  connection  with  these  variance 
estimates  are  Snedecor§s  test-statistic  (F)  and 
the  coefficient  of  interclass  correlation  (R)® 
Each  of  these  statistics  is  Used  to  answer  a 
different  questions  F is  related  to  questions  of 
difference  while  R is  related  to  questions  of 
consistency® 

Evaluation  of  Proficiency  Indices 

Pursuing  this  reasoning  in  more  detail,  the 
analysis  of  variance  model  for  a double  or  two- 
way  classification  is  shown  below®  Suppose  the 
scores  for  individuals  are  classified  into  A 
groups  on  the  basis  of  one  characteristic  and  in- 
to B groups  on  the  basis  of  another®  Three  com- 
ponent-of-variance  models  are  considered?-  com- 
ponents of  variance  model  (both  classifications 
A and  B involve  sampling  from  a normal  popula- 
tion), fixed  components  model  (both  classifica- 
tions A and  B involve  no  sampling),  and  mixed 
model  (classification  A involves  sampling  while 
classification  B involves  no  sampling)® 


1 

2 

3 

3 

A 

1 

xn 

x12 

x13 

xlj  ' 

X1A 

2 

x2l 

x22 

x23 

X2j 

X2A 

i 

xil 

xi2 

xi3 

Xij 

xiA 

■ i 

B 

XB1 

XB2 

XB3 

XBj 

XBA 

Each  model 

requires 

the  same 

breakdown 

of 

the  sum  of  squares  and  degrees  of  freedom,  giving 
the  same  variance  estimates®  The  fundamental 
differences  between  the  analyses  of  the  models  is 
in  the  choice  of  the  proper  variance  estimate  to 
be  used  with  the  F statistic®  It  is  important  to 
note  that  the  choice  of  one  crew  member  in  pre- 
ference to  another  reduces  to  the  same  kind  of 
problem  in  the  analysis  of  variance  as  the  choice 
of  one  transistor  in  preference  to  another®  If 
the  analysis  of  variance  model  has  three  classi- 
fications  instead  of  two  then  similar  techniques 
may  be  used®  For  example,  if  there  is  no  inter- 
action, the  model  becomes  that  of  the  Latin 
Square® 

One  essential  difference  that  exists  be- 
tween the  physical  and  the  behavioral  sciences 
(namely,  the  question  of  level  of  measurement) 


ikl 


makes  it  necessary  to  extend  the  evaluation 
techniques  for  the  human  factors  area.  Many 
measurements,  especially  in  personality  studies 
do  not  reach  the  level  that  is  necessary  in  order 
to  justify  the  use  of  the  F statistic.  Members 
are  arranged  only  in  terms  of  the  order  of  mag- 
nitude of  an  attribute  and  in  some  cases  in  groups 
without  regard  to  order  within  the  group.  In 
either  case,  the  analysis  of  variance  techniques 
based  upon  the  F statistic  cannot  be  used.  For 
such  studies,  use  can  be  made  of  non-pararaetric 
tests  such  as  the  chi-square  o Kolmogorov- 
Smirnov  distributions.  Although  these  tests  are 
not  as  sensitive  as  the  parametric  ones,  they 
will  serve  as  a satisfactory  basis  in  many  cases 
for  detecting  differences  among  members* 

Based  upon  the  differences  shown  in  the 
models,  each  crew  candidate  can  then  be  assigned 
a proficiency  index  for  each  task.  This  index 
will  reflect  his  capability  in  that  task  and  his 
standing  with  respect  to  the  other  candidates 
performances.  Using  these  Indices  the  problem  is 
to  optimize  crew  selection  and  assignment  so  as 
to  optimize  the  probability  of  mission  success. 

Linear  Programming  Model 

Jha.  Genes?  JLMfldal 

Linear  programming  could  be  defined  as  a 
methodology  for  optimizing  a given  linear  func- 
tion in  terms  of  given  linear  constraints,  and 
the  variables  in  the  function  to  be  optimized  are 
usually  constrained  to  be  non-negative.  Consider 
the  system  of  m linear  equations  in  k unknowns 

all  X1  + a12  x2  + + alk  xk  = bl 

a21  X1  + a22  X2  + — + a2k  xk  = b2 

• * * * 

. . . . (1) 


of  linear  equations  (l),  the  solution  which  con- 
tains  only  non-negitive  variables  and  for  which 
the  linear  form  (3)  is  an  extreme. 

The  general  linear  programming  problem 
shown  above  is  given  in  the  standard  form  where 
all  the  constraint  conditions  are  stated  as 
equations*  and  the  variables  are  required  to  be 
non-negative*  This  need  not  be  the  case  gen- 
erally, Linear  programming  applies  equally  well 
to  problems  where  the  constraints  are  inequal- 
ities or  a mixture  of  equations  and  inequalities, 
and  some  of  the  variables  can  be  negative. 

If  a constraint  is  defined  as  a less-than 
condition  so  that 


ail  X1  + ai2  x2  + + ain  xn  “ bi  ^ 

then  this  constraint  can  be  written  in  the  form 
of  an  equation  by  adding  a non-negative  variable 
3^  to  the  left  hand  side  and  writing 

ail  X1  +ai2  x2  + — ain  xn  + si  = bi  (5) 

The  variable  s^  is  called  a slack  variable  be- 
cause It  measures  the  slack  in  the  original  in- 
equality. If  the  constraint  Is  written  as  a 
greater-than  condition  then  by  subtracting  a non- 
negative slack  variable  this  can  be  written  as 
an  equation* 

The  objective  function  (3)  is  in  standard 
form  when  it  is  to  be  minimized.  If  in  fact  an 
objective  function  Is  to  be  maximized 


x^  + x2  + **,  + kin  xn  - maximum 

(6) 


aml  X1  + am2  x2  + •••  + amk  xk  = bm 


then  this  can  be  put  into  standard  form  by 
writing 


where  x* , x2,  ***  t are  unknown  and  the  other 
quantities  are  constants*  Suppose  the  equations 
are  consistent  but  not  sufficient  to  determine 
the  uniquely.  This  indeterminacy  will  occur 
if  k > m,  if  k.  - m and  the  system  is  lirieaTly 
dependent;  or  if  k<  in  the  indeterminacy  may  also 
exist*  If  the  additional  conditions 


-k41  xt  - k.*  x0  - -k.  x - minimum 

xx  i xd  z in  n 

(7) 


The  standard  form  is  usually  a necessity  for 
pfiany  of  the  solution  techniques  to  converge* 

The  Assignment  Model 


- G I 1 = Ip  2f  «*•  , k (2) 

d X2  + c2  x2 + ***  + cfc  Xk  = minimum  (3) 

are  imposed,  where  clt  C2f  •••  , ek  are  given 
constants,  then  the  problem  is  to  select,  out  of 
the  infinite  number  of  solutions  of  the  system 


Using  the  general  linear  programming  model 
the  assignment  model  can  now  be  formulated* 
Assume  k candidates  are  to  be  assigned  to  k 
tasks*  Let  x^j  be  the  fraction  of  time  the  ith 
man  spends  on  the  jth  task  and,  again,  let  c^j 
be  the  proficiency  or  effectiveness  the  Ith  man 
has  for  the  jth  task*  Then 


lb2 


xii  + xi2  + ***  + xik  = 1 
if  each  man  is  to  be  fully  occupied-  And 

t ^ xkj  = 


First 

Candidate 

Second 

Candidate 

Third 

Candidate 

Task  A 

4 

3 

7 

Task  B 

6 

5 

a 

Task  C 

4 

4 

6 

if  each  task  is  to  be  filled*  The  constraints 
can  be  written  in  more  compact  form  as 


K. 

Xy  - 1 j =1,2,  ...  , k {10) 


k 

I 

i=l 

k 


— 1 i = 1)  2j  «4«  j k (ll) 

h 


The  objective  function  would  become 


*11  XU  + c12  X12  + •**  + cij  xij  + 

+ ...  + c^k  xkk  = maximum  (12) 


or 


£ °ij  xij 

3=1 


maximum 


(13) 


where  the  double  summation  indicates  the  values 
are  to  be  summed  over  all  indices  i,  j#  Obvi- 
ously, the  x*.  are  constrained  to  be  non-negative 
since  negative  values  would  have  no  physical 
meaning* 


Table  T 

Proficiencies  of  Three  Candidates 
for  Three  Tasks 


The  equations  of  constraint  for  this  exarrple 
would  be 


XU  * *12  + x13  = 1 

X21  + x22  + x23  = 1 

X31  + x32  + x33  = 1 

X11  + X21  + X31  = 1 

X12  + *22  + X32  = 1 

x13  + x23  + x33  “ 1 
And  the  objective  function  would  be 


(14) 


4xL1  + 3xl2  + Tx13  + 6x21  + 5^22  + 8x23  + 

+ 4x3^  + 4x32  + 6x33  ’ maximum 


This  model  has  one  interesting  property  that 
other  linear  programming  models  do  not  have. 

Since  the  right  hand  terms  of  the  constraint 
equations  are  integral  it  can  be  shown  that  the 
values  of  the  variables  must  also  be  integral* 
Further,  since  the  Constant  terms  are  unity,  the 
variables  cannot  exceed  unity  and  hence,  in  view 
of  the  non-negative  condition,  the  can  take 
only  the  values  zero  or  one.  This  means  any 
optimum  solution  would  assign  one  man  full  time 
to  one  task  during  any  finite  schedule  time*  To 
illustrate  the  model  consider  the  following 
simple  example.  Suppose  three  men  are  to  be 
assigned  to  three  tasks*  The  proficiency  indices 
of  each  man  for  each  of  the  tasks  are  given  in 
the  table  below. 


For  this  example  there  are  3 t combinations  of 
assignments.  The  possibilities  are  shown  below 
with  the  relative  effectiveness  of  each; 


Task  A 

CiA 

Task  B 

CiB 

Task  C 

ciC 

Relative 

Effectiveness 

n 

4 

*2 

5 

V3 

6 

15 

4 

Ys 

8 

V2 

4 

16 

Y2 

3 

yl 

6 

y3 

6 

15 

y 2 

3 

y3 

8 

Yl 

4 

15 

*3 

7 

yl 

6 

y2 

4 

17 

Y3 

7 

y2 

5 

Y1 

4 

16 

Table  II 

Possible  Assignments  of  Three 
Candidates  for  Three  Tasks 


143 


where  y^,  Y2>  and  y3  refer  to  the  first,  second, 
and  third  candidates  respectively*  Clearly,  the 
fifth  possibility  would  be  the  optimum* 

It  should  be  clear  from  this  example  that  as 
the  number  of  candidates  and  tasks  increases,  a 
listing  of  all  possibilities  to  choose  an  optimum 
would  not  be  practical* 

We  now  have  a suitable  model  for  assigning 
candidates  to  tasks  based  upon  each  candidates 
proficiency  for  each  task*  For  a time  interval 
of  arbitrary  length  the  smae  model  would  be  a 
schedule  of  task  assignments*  The  collection  of 
models,  for  the  total  mission  time,  would  repre- 
sent an  optimum  schedule. 

Extensions  of  the  Basic  Model 
Crew  Selection 

Suppose  it  is  desired  to  select  a crew  for  a 
particular  mission*  Assume  the  tasks  necessary 
for  successful  completion  of  the  mission  are  well 
defined  (as  they  usually  will  be)  and  that  the 
number  of  crew  members  needed  is  known*  Suppose 
further  that  the  proficiency  index  (c^j)of  each 
candidate  for  each  task  is  also  known*  Let  the 
number  of  tasks  to  be  assigned  be  N and  the 
number  of  candidates  be  K where  K N*  Again, 

Xjj  would  be  the  fraction  of  time  the  ith  man 
spends  at  the  jth  task*  The  constraint  equations 
and  the  objective  function  would  be  in  th© 
following  form 


= 1 j = 1,  2,  ***  , N (15) 


1 i = 1,  2,  ***  , K (16) 


Cjj  x^j  = maximum  (17) 


Z xij 

i=l 

N 

Z xij 

j=l 

K N 

Z I 

1=1  3=1 


inary  tasks©  The  proficiency  indices  related  to 
these  tasks  are  obviously  zero  since  an  un- 
assigned candidate  could  have  no  effect  on  the 
optimum.  The  objective  function  would  take  the 
form 

K N K 

Xi  ] Xj  cij  xij  + ^ cij  Si/=  maximum 

i=l  3=1  j=N+l  (19) 

where  the  second  term  in  the  parentheses  is 
identically  zero*  The  constraint  matrix  for  the 


above 

example  would 

take 

the 

form 

xu 

x12 

X1N 

S1 

0 

0 

0 

X21 

x22 

X2N 

0 

s2 

0 

0 

xm 

XN2 

XNN 

0 

0 

SN 

0 

xia 

XK2 

XKN 

0 

0 

0 

SK 

(20) 


It  should  be  noted  that  only  N of  the  would 
have  values  different  from  zero  upon  solution, 
and  K-N  of  the  sj  would  have  non-zero  value.  All 
of  the  remaining  variables  would  be  zero*  The 
non-zero  x^j  would  represent  the  crew  chosen* 

liPPfir  Bpupflg^ 

Much  has  been  written  concerning  the  opti- 
mization of  time  cycles  and  work/rest  ratios*  It 
is  important  to  establish  the  individual  work/ 
rest  cycles  for  crew  candidates  such  that  crew 
effeciency  can  be  maintained  for  the  complete 
mission*  In  addition,  the  proportion  of  crew 
members  required  for  relief  purposes  must  be 
found*  For  space  missions,  this  latter  considera- 
tion will,  of  course,  be  very  sever ly  limited  due 
to  weight,  thrust,  and  cabin  size  limitations. 

The  consideration  of  such  work/rest  cycles 
may  be  reflected  in  the  model  by  constraining 
the  variables  as  follows 


0 - x^j  £ M*j  (M.j  < l)  for  some  i,  j (2l) 


The  system  (15)  is  in  standard  form,  but  the 
system  (16)  is  not.  Then  as  in  equation  (5),  K 
non-negative  slack  variables  may  be  added  to  (16) 
to  transform  it  to  standard  form,  as 

N 

X xij  *§1=1  i = 1,  ooo  , K (18) 

3=1 


that  is,  by  not  allowing  one  man  to  be  assigned 
full  time  to  one  task*  The  upper  bound  in 
expression  (21)  is  the  fraction  of  the  task 
duration  for  which  the  ith  man  is  capable  of 
performing  without  any  appreciable  loss  in 
effectiveness.  Thus  the  extension  of  the  model 
can  be  summarized  as,  using  (10),  (ll),  and  (13) 


The  slack  variables  would  correspond  to  the  un- 
assigned  candidates  and  take  the  form  of  imag- 


j = 1 » 2 > ---  , k 


i=l 


xij  = 1 i « lf  2j  * * - ,k 

j=l 


k k 

i z 

i=l  j=l 


*ij  - 0 


c.  , x.  . = maximum 

ij  ij 


(22) 


x^j  £ for  some  or  all  if  j (23) 


where  (22)  is  the  original  system  and  (22)  plus 
(23)  is  the  extended  system,  which  includes  the 
upper  bounds  on  the  variables* 

In  general,  all  of  the  variables  will  be 
constrained  for  the  sake  of  consistency.  How- 
ever, in  practice,  some  of  the  may  be  made  so 
large  they  have  no  effect  upon  the  solution. 


The  use  of  the  solid  or  dotted  lines  is  a 
graphic  representation  of  the  condition  that  all 
tasks  be  filled  and  all  candidates  be  assigned* 
For  example,  if  the  first  candidate  is  assigned 
task  B,  then  the  only  decision  to  be  made  is 
whether  path  BAC  or  BCA  is  to  be  followed  to  com- 
plete the  assignments*  Of  course,  this  decision 
is  based  on  the  relative  proficiencies  associated 
with  each  path*  The  above  network  is  actually  a 
combination  of  two  networks,  one  overlayed  on  the 
other,  each  of  which  gives  three  of  the  possible 
assignments*  The  dotted  constraints  are  one  net- 
work, and  the  solid  constraints  are  another. 

The  use  of  a network  would  be  very  limited, 
however,  since  an  increase  in  crew  candidates 
and/or  tasks  greatly  increases  the  complexity  of 
the  network.  Since  a network  illustrating  the 
assignment  of  N candidates  to  N tasks  has  NT 
possible  assignments,  the  number  of  constraint 
lines  tend  to  confuse  the  network  as  N increases. 
For  the  network  shown  there  are  12  constraint 
lines  and,  in  general,  for  the  assignment  of  N 
candidates  to  N tasks  the  network  would  have 
N(N-l)2  constraint  lines. 


BjbU^ra_phY 

1*  Ackoff,  Russel  L, , (Editor),  Progress  in 

Operations  Research,  Volume  I,  John  Wiley 
& Sons,  New  York;  1961. 


Network  Representation 

In  recent  years  PERT-PEP  management  infor- 
mation techniques  have  become  increasingly  pop- 
ular, The  use  of  these  networking  techniques 
have  been  excellent  aids  to  management  personnel 
for  scheduling  and  identifying  troublesome  areas 
in  the  schedule.  The  use  of  network  techniques 
may  also  be  an  aid  in  assigning  crew  members  for 
space  missions.  The  network  in  figure  I 
illustrates  the  possible  assignments  of  three 
candidates  for  three  tasks* 


Network  Illustrating  the  Possible  Assignment 
of  Three  Candidates  for  Three  Tasks 


2.  Garvin,  Walter  W*,  Introduction  to  Linear 
Programming*  McGraw-Hill  Book  Company, 
Inc*,  Ptew  York 5 I960* 

3*  Mood,  A*  M*,  Introduction  to  the  Theory  of 
Statistics,  McGraw-Hill  Bbok  Company, 

New  York ; 1 950  # 

4.  Ray,  James  T, , Martin  0,  Edward,  and 

Alluisi,  Earl  A,,  Human  Performance  as 
Function  of  the  Work  Rest  Cycle*  A Review 
of  Selected  Studies,  National  Academy  of 
Sciences  - National  Research  Council, 
Washington  D,C.j  1961. 


REDUNDANT  ADAPTIVE  FLIGHT  CONTROL 
SYSTEMS  AS  USED  IN  SPACE  VEHICLES 


By  John  N.  Mitchell  and  Allyn  J.  Foreman 
Minneapolis -Honeywell  Regulator  Company 
Aeronautical  Division 
Minneapolis,  Minnesota 


Introduction 


High  reliability  requirements  of  today's  aero- 
dynamic and  space  flight  control  systems  have 
generated  many  new  concepts.  In  recent  years, 
the  role  of  the  automatic  flight  control  system 
has  changed.  Originally  considered  an  accessory 
item,  it  has  reached  the  point  where  success  of 
the  intended  mission  depends  upon  its  satisfactory 
operation.  Present-day  high-speed  aircraft,  for 
instance,  exhibit  poor  stability  characteristics  at 
certain  flight  conditions,  making  it  very  difficult 
for  the  pilot  to  control  the  craft,  much  less  per- 
form his  intended  mission,  without  stability  aug- 
mentation system. 

In  manned  space  vehicles  the  need  is  even 
greater.  During  the  critical  periods  of  launch 
and  exit  from,  and  re-entry  into  the  earth's  at- 
mosphere, vehicle  flight  path  and  attitude  will 
have  to  be  maintained  within  very  close  limits, 
not  only  to  maintain  the  desired  course  but  also 
to  prevent  the  vehicle Ts  destruction  from  exces- 
sive heating  rates  and  aerodynamic  forces.  The 
required  tight  control,  coupled  with  poor  vehicle 
stability,  presents  a control  problem  which  is 
beyond  a human  pilot's  capabilities. 

Naturally,  this  growing  dependence  on  the 
automatic  control  system  has  focused  greatly  in- 
creased attention  on  its  reliability.  While  per- 
formance demands  upon  future  systems  are  great, 
reliability  requirements  are  the  most  difficult  to 
meet.  In  comparison  with  present  capabilities, 
it  is  perhaps  the  single  area  in  which  the  great- 
est improvement  over  existing  techniques  must 
be  made  to  satisfy  projected  future  control  system 
re  quire  merits * 


Methods  To  Improve  Reliability 

System  -complexity  has  increased  by  leaps 
and  bounds  due  to  the  high  performance  charac- 
teristics of  new  vehicles  and  the  greater  demands 
to  perform  more  functions  automatically.  At- 
tempts to  simplify  control  systems  have  resulted 
in  minor  improvements  in  reliability. 

Improving  reliability  through  the  develop- 
ment of  highly  reliable  parts  has  not  been  ade- 
quate to  meet  the  demands  of  flight  control  sys- 
tems for  space  vehicles*  The  reliability  of  pres- 
ent flight  control  systems  for  aerodynamic  con- 
trolled vehicles  ranges  from  100  to  500  hours 
mean-time-between  failures. 


These  systems  may  be  improved  by  a factor 
of  4 or  5 through  the  use  of  high  reliability  parts. 
Much  emphasis  has  been  given  to  electronic  part 
improvement  on  programs  such  as  Minuteman. 

In  mild  environmental  applications  these  parts 
may  exhibit  improved  reliability  by  an  order  of 
magnitude  or  more. 

However,  this  improvement  cannot  be  achiev- 
ed in  the  more  severe  space  environments.  To 
meet  space  reliability  requirements,  systems 
must  be  improved  by  2 or  3 orders  of  magnitude* 

At  the  present  state-of-the-art,  the  required 
degree  of  reliability  improvement  can  be  achieved 
through  the  use  of  redundancy. 

With  redundancy  comes  the  consideration  of 
weight,  volume,  cost,  and  performance.  Thus, 
the  objective  is  to  maximize  reliability  and  per- 
formance while  minimising  weight,  volume,  and 
cost. 

To  achieve  this  objective  with  a conventional 
control  system  requires  a triple  redundant  mech- 
anization* The  operation  may  be  the  voting 
scheme,  which  results  in  dropping  out  the  one 
channel  that  is  in  disagreement.  The  dual  redun- 
dant adaptive  control  system  with  monitors  has 
achieved  high  reliability  without  degradation  of 
performance* 

Adaptive  Flight  Control  System 

Let  us  compare  the  operation  of  a conven- 
tional control  system  and  an  adaptive  control 
system. 

Consider  the  block  diagram  of  Figure  1, 
which  depicts  a conventional  approach  to  the  con- 
trol problem.  Note  the  airframe  transfer  func- 
tion. The  parameters  , C a*  T , and  K are, 
in  general,  functions  of  Hie  airframe  aerodynamic 
characteristics,  the  flight  speed  and  altitude. 
These  parameters  might  have  variations  as  high 
as  50  to  1 through  the  flight  envelope  of  a super- 
sonic vehicle.  Hence,  to  provide  satisfactory 
damping  augmentation  to  a vehicle  with  such 
widely  varying  dynamic  characteristics,  it  is 
normally  necessary  to  program  the  feedback  gain 
K with  air  data  information  such  as  dynamic 
pressure,  Mach  number  and  altitude.  In  some 
cases  it  may  even  be  necessary  to  program  the 
time  constants  of  the  compensating  network.  The 


COMPENSATING  AIRFRAME 

NETWORK  TRANSFER 

FUNCTION 


ikQ 


Mi tchell/Porsman 


rH 


,8 

o 

-P 


vr\ 


150 


Figure 


151 


Mi t c h« 1 l/Po rsman 


152 


Mitchell/Forsman 
Figure  5. 


reliability  of  this  simple  type  control  system  is 
dependent  upon  the  reliability  of  the  air  data  com- 
puter system,  the  motor  gear-train  repeaters, 
and  the  non- linearly  wound  potentiometers  used 
to  program  the  feedback  parameters, 

A major  step  in  improving  reliability  is  to 
eliminate  the  need  for  air  data  information.  In 
1954,  Honeywell  set  out  to  eliminate  gain  sched- 
uling without  compromising  performance.  The 
idea  was  to  devise  a system  which  could  effec- 
tively evaluate  its  own  performance  and  alter  its 
feedback  gain  to  maintain  a desired  performance 
level.  This  was  named  nThe  Self-Adaptive  Con- 
trol System". 

As  indicated  by  Figure  2,  a model  is  used  to 
shape  vehicle  response  to  the  desired  response 
characteristics  for  all  commands.  The  vehicle 
is  made  to  follow  the  output  of  the  model  by  main- 
taining a high- gain  control  loop  following  the 
model  commands.  The  model  is  an  electrical 
analog  simulating  the  desired  dynamic  charac- 
teristics of  the  vehicle.  In  other  words,  when 
an  electrical  signal  is  fed  to  the  model  network, 
the  output  of  the  network  is  an  electrical  signal 
representing  the  desired  output  response  of  the 
vehicle.  By  comparing  the  vehicle  response  with 
the  model  response  and  feeding  the  error  signal 
to  an  authoritative  controller,  it  is  possible  to 
enforce  correspondence  of  the  vehicle  response 
to  the  model  response.  This  control  loop  (in- 
cluding a rate  gyro,  amplifier,  variable  gain, 
servo,  surface  actuator,  and  aircraft)  must  have 
a bandwidth  at  least  three  times  the  bandwidth 
of  the  model  to  prevent  further  shaping  of  the 
command  due  to  the  controller  dynamics.  This 
wide  bandwidth  is  obtained  primarily  through 
automatic  gain  control,  which  continuously  seeks 
the  maximum  gain  operating  condition.  This  gain 
level  is  called  critical  gain,  and  it  is  detected  by 
means  of  a small- amplitude  limit  cycle.  The 
amplitude  of  this  limit  cycle  (for  the  F-101  sys- 
tem this  amounted  to  0.  1 degree  of  surface  de- 
flection) is  compared  to  a reference  amplitude 
set  point  and  tightly  controlled  to  this  reference 
amplitude  by  the  gain  computer.  Any  tendency 
for  the  limit  cycle  to  become  larger  results  in  an 
immediate  gain  reduction,  while  loss  of  the  limit 
cycle  initiates  an  immediate  gain  increase. 

This  adaptive  technique  therefore  provides 
uniform  aircraft  response  to  commands  through- 
out the  flight  envelope  by  varying  the  flight  con- 
trol system  gain  as  an  inverse  function  of  the  air- 
craft surface  effectiveness  through  the  operation 
of  the  self-contained  gain  computer.  Thus,  the 
adaptive  concept  is  independent  of  air  data  inputs 
from  a central  air  data  computer. 

The  adaptive  system  differs  from  the  con- 
ventional system  in  that  a model  and  an  auto- 
matic gain  computer  have  been  added  and  the  air 
data  scheduling  have  been  deleted.  The  Honeywell 
self-adaptive  concept  was  first  successfully  de- 
monstrated in  an  F-101  supersonic  aircraft. 


Adaptive  System  Reliability 


The  self-adaptive  system  previously  des- 
cribed is  capable  of  adjusting  its  operation, 
through  the  gain  changer,  to  compensate  for  com- 
ponent deterioration.  Obviously  the  gain  com- 
puter, sensing  the  performance  of  the  entire  air- 
craft-control system  loop,  cannot  detect  whether 
changes  in  this  performance  are  caused  by  chan- 
ges In  aircraft  characteristics  or  changes  in 
component  performance.  Hence,  it  compen  sates 
accordingly  for  variations  in  gain  or  dynamic 
response  occurring  anywhere  in  the  loop.  This 
feature  makes  the  system  extremely  tolerant  of 
component  variations  and  in  a sense  tends  to  up- 
grade component  reliabilities.  In  a conventional 
system,  for  example,  a 50  per  cent  decrease  in 
gain  of  a particular  amplifier  might  result  in  un- 
satisfactory operation  of  the  system  and  would 
be  considered  a failure  of  the  amplifier.  In  the 
adaptive  system  such  a loss  would  be  compen- 
sated for  by  the  gain  computer. 


Approach  to  the  Adaptive  Control  System 
For  the  X-15  Vehicle  ~ 

At  the  outset  of  this  program,  the  single 
adaptive  control  system  was  evaluated  for  use  in 
the  X-15  vehicle.  The  reliability  analysis  in- 
dicated a reliability  factor  of  0.  995  for  a one 
hour  mission. 

This  system  proved  to  be  unsatisfactory  for 
two  reasons.  First,  the  single  system  config- 
uration offered  no  failsafety.  One  of  the  prime 
requirements  of  automatic  flight  control  systems 
for  hypersonic  or  space  vehicles  is  that  they  be 
failsafe.  This  requires  that  the  flight  control 
system  be  designed  such  that  no  failure  can  cause 
vehicle  destruction.  Second,  even  though  the 
reliability  factor  was  reasonable  for  the  speci- 
fied mission,  the  system  to  be  developed  requir- 
ed high  reliability  for  an  extended  mission  period. 

To  accomplish  both  of  these  requirements, 
triple  redundant  systems  were  studied.  Figure 
3 is  a simplified  reliability  mode  showing  the 
triple  redundant  component  summing  mechaniza- 
tion. Several  complications  which  arose  in  iso- 
lating the  components  led  to  the  redundant  chan- 
nel summing  mechanization  shown  in  Figure  4, 

However,  due  to  other  limiting  factors  in 
the  system,  principally  the  reliability  of  the 
servos,  it  was  decided  to  provide  a dual  redun- 
dant system  with  n automatic  decision  devices". 
This  configuration  provided  for  failsafety  and 
continuous  operation  for  any  failure.  The  block 
diagram  of  this  system  is  shown  in  Figure  5. 

The  block  diagram  shows  a single  axis  augmen- 
tation configuration  with  pilot  commands.  All 
elements  are  redundant,  except  for  the  servo. 

The  predicted  mean  time  between  failures. 


153 


151*- 


Mi  t chel  l/  ^orsman 


(MTBF)  of  the  complete  nonredundant  augmenta- 
tion system  (excluding  servos)  was  340  hours. 
The  corresponding  redundant  augmentation  sys- 
tem had  a predicted  MTBF  in  excess  of  100,  000 
hours  based  on  a one-hour  mission. 

Additional  electronics  not  shown  in  Figure  5 
were  included  in  the  system*  These  electronics 
were  provided  for  the  pilot  to  select  operational 
modes  and  hold  modes.  Redundancy  was  not 
used  in  the  pilot  flight  system  because  these  ele- 
ments were  not  flight  essential. 


Dual  Redundant  System 

The  adaptive  flight  control  system,  such  as 
the  one  being  flight  tested  in  the  No,  3 X-15 
vehicle,  lends  itself  exceptionally  well  to  re- 
dundant mechanization  and  provides  failsafety. 
After  analysis,  it  was  evident  that  approximately 
90  per  cent  of  the  failures  which  would  occur  in 
the  system  would  result  in  a no -signal  condition. 
Since  the  system  was  adaptive,  this  type  failure 
posed  no  problem  because  a no -signal  condition 
in  one  channel  simply  meant  that  the  gain  of  the 
other  channel  would  double  to  compensate  for 
the  signal  loss.  Therefore,  90  per  cent  of  the 
problems  were  solved.  Yet  to  ensure  failsafety 
the  other  10  per  cent  of  the  failures,  i,  e.  , of  a 
hardover  or  full  output  type,  had  to  be  elimina- 
ted. This  was  done  by  installing  hardover  moni- 
tors at  strategic  points  in  the  system,  thereby 
converting  hardover  failures  to  open  circuit  or 
no -signal  condition. 

Analysis  pointed  out  a major  deficiency  in 
provisions  for  continuous  control  after  a single 
failure.  A hardover  failure  of  a particular  ele- 
ment (lead  network  amplifier)  would  result  in  an 
ineffective  system  because  the  channel  containing 
the  defective  element  would  be  balanced  by  the 
surviving  channel,  leaving  no  range  for  control 
authority.  These  elements  could  not  be  moni- 
tored for  hard  overs,  since  their  outputs  were 
required  to  reach  maximum  under  normal  opera- 
ting conditions. 

Study  of  the  problem  resulted  in  placing  a 
comparater  type  monitor  between  the  outputs  of 
the  redundant  channels  and  setting  it  to  trip  at 
140  per  cent  of  the  output  of  one  element.  This 
meant,  then,  that  both  elements  could  go  to  sat- 
uration in  the  same  direction  and  not  trip  the 
monitor.  If  a hardover  failure  should  occur  in 
one  of  the  components,  its  output  would  go  to  a 
maximum  in  one  direction.  This  would  begin  to 
command  the  vehicle,  which  would  result  in  a 
gyro  output  of  opposite  polarity  and  thereby  drive 
the  nonf ailed  channel  in  the  opposite  direction. 
The  difference  between  the  outputs  of  the  two  ele- 
ments would  very  rapidly  exceed  140  per  cent  of 
either  output  with  only  slight  aircraft  motion. 

Since  this  type  monitor  could  not  distinguish 
which  channel  was  in  error,  the  only  alternative 
was  to  effectively  remove  both  elements  from  the 


system.  To  prevent  complete  loss  of  vehicle 
control,  this  section  of  the  system  was  surroun- 
ded by  fixed  gain  loops.  In  case  of  a hardover 
failure  of  this  element  the  system  would  function 
in  low  fixed  gain  mode,  thereby  providing  at 
least  minimum  damping  for  the  pilot.  The  pro- 
bability of  this  type  failure  occurring  was  ex- 
tremely small,  yet  failsafety  was  mandatory. 

Early  laboratory  tests  of  this  system  using 
a dual  redundant  simulator  proved  very  success- 
ful, The  mechanization  was  thoroughly  tested 
by  removing  portions  of  the  circuits  mounted  on 
plug-in  type  circuit  boards,  thereby  creating  open 
type  signals  or  no -signal  conditions*  By  moni- 
toring the  gain  changer  output,  the  analysis  was 
proven  to  be  correct:  loop  gain  was  maintained 
at  normal  condition  by  the  remaining  functional 
channel*  To  create  hardover  commands,  ex- 
traneous voltages  were  Induced  at  various  points 
in  the  system.  All  hardover  monitors  were  test- 
ed repeatedly  to  assure  proper  operation. 

The  entire  system  was  put  into  a test  cham- 
ber and  operated  for  300  hours.  Chamber  tem- 
perature, pressure,  and  humidity  were  varied 
over  a two -hour  period  in  accordance  with  the 
expected  mission  profile.  The  cycling  was  re- 
peated throughout  the  300  hours.  During  the  test 
six  malfunctions  were  experienced.  Two  were 
associated  with  a pilot  operated  solenoid -held 
switch;  three  with  the  yaw  position  transmitter 
(control  by  yaw  pedals);  and  one  with  the  normal 
accelerometer  comparator.  These  failures  were 
all  associated  with  the  pilot  flight  system. 

Necessary  remedial  action  was  taken  and 
field  tests  to  date  have  shown  no  recurrence  of 
these  problems. 

Flight  testing  of  this  system  is  now  beiqg 
conducted  in  the  No.  3 X-15  at  Edwards  Air  Force 
Base,  California,  This  vehicle  has  made  four 
flights  to  date,  all  highly  successful.  After  the 
first  three  flights,  or  a total  flying  time  of  32 
minutes,  the  autopilot  was  completely  qualified 
in  the  aerodynamic  regions.  The  fourth  flight, 
conducted  on  April  20,  1962,  reached  a maximum 
speed  of  3,  818  miles  per  hour  and  an  altitude  of 
207,000  feet.  Damping  with  the  reaction  controls 
at  high  altitude  was  just  as  good  as  with  aerody- 
namic controls  at  lower  altitudes.  Future  flights 
will  be  for  pilot  indoctrination  or  for  completely 
qualifying  the  system  in  all  flight  regimes* 

Flight  Control  Systems  for  Other  Spacecrafts 

The  experience  gained  on  the  X-15  adaptive  con- 
trol system  will  be  utilized  to  advance  the  state- 
of-the-art.  The  control  system  being  developed 
for  another  spacecraft  will  be  designed  to  elimin- 
ate the  low  fixed  gain  mode.  This  configuration 
is  shown  in  Figure  6,  This  system  provides  for 
failsafe  operation  and  continuous  adaptive  control 
for  any  single  failure. 


155 


Space  vehicles  having  a mission  period  well 
in  excess  of  100  hours  will  utilize  all  methods  of 
achieving  high  reliability,  such  as  simplification, 
derating,  redundancy,  etc.  One  of  the  principal 
means  of  achieving  high  reliability  will  be  in- 
flight maintenance.  Studies  made  on  the  redun- 
dant channel  adaptive  simulator  have  proven  the 
feasibility  of  this  concept.  As  mentioned  earlier, 
entire  circuits  were  removed  without  degradation 
of  vehicle  control.  Accepting  this  approach, 
ultra -reliability  of  the  adaptive  control  system 
can  be  achieved  by  short  periods  between  inspec- 
tion and  providing  a reasonable  quantity  of  spare 
circuits. 

A cknow  ledgm  ent  s 

Development  of  the  X-15  adaptive  autopilot 
was  sponsored  by  the  Flight  Control  Laboratory, 
Aeronautical  Systems  Division  (ASD)  of  USAF, 
under  Contract  No.  AF33{616)6610,  with  Lt. 
Robert  Johannes  as  project  officer. 


156 


SNAP  RELIABILITY  PROGRAM* 


¥•  Vaughn 
Reliability  Advisor 
Compact  Systems  Division 
Atomics  International 

A Division  of  North  American  Aviation,  Inc® 

Post  Office  Box  309 
Oanoga  Park,  California 

C,  J*  Brous 
Director 

Product  Engineering  and  Manufacturing  Department 
Compact  Systems  Division 
Atomics  International 

A Division  of  North  American  Aviation,  Inc® 

Post  Office  .Box  309 
Canoga  Park,  California 


The  reliability  of  nuclear  power  systems 
for  space  applications  is  one  of  the  important 
factors  that  mil  make  this  energy  source 
practical®  The  study  of  environmental  effects 
on  the  reliability  of  these  space  systems  and 
their  electronic  payloads  involves  not  only  the 
usual  conditions  of  space  but  adds  to  it  the 
requirements  for  long  term  endurance  and 
radiation  resistance®  The  study  of  these 
effects  can  be  expensive  and  time  consuming®  A 
simplified  analytical  technique  has  been 
developed  at  Atomics  International  which  uses 
available  test  and  performance  data  and  requires 
limited  additional  testing®  This  program  should 
provide  reliable  systems  for  nuclear  auxiliary 
power  (SNAP)  that  will  be  suitable  for  the 
space  payload  and  electrical  propulsion 
requirements  of  the  larger  systems  of  the  late 
60Js  and  70fs® 

Introduction 

The  application  of  nuclear  technology  to 
the  problem  of  providing  long  lived  energy 
sources  for  space  utilization  is  a natural 
outgrowth  of  this  reactor  technology®  This 
application  has  reached  practicality  now  as 
represented  by  the  SNAP  3 isotopic  power 
package  and  is  soon  to  be  tested  In  the  AEG 
program  for  the  SNAP  10A  (Figure  1)  5 SNAP  2 and 
SNAP  8 nuclear  reactor  power  packages® 

The  electrical  energy  requirement  for  space 
payloads  and  propulsion  mil  soon  far  outstrip 
all  energy  devices  except  for  the  nuclear 
reactor  type®  In  Figure  2 we  see  the  growth  of 
payload  and  electrical  propulsion  requirements 
as  the  booster  power  capabilities  are  Increased® 


¥orlc  being  conducted  under  AEC  Contract 
AT (ll-l) -GEN-8® 


Tills  is  further  related  to  SNAP  10A,  2,  and  8 
uses  in  Figure  3*  You  will  note  how  these 
nuclear  auxiliary  power  packages  are  well  suited 
for  the  forthcoming  systems  made  practical  by 
the  larger  boosters®3  The  space  power  require- 
ments are  expected  to  reach  the  megawatt  range 
by  the  70*  s* 

Endurance  time  requirements  during  this 
period  will  increase  £rom  one  to  five  years  of 
unattended  operation® 

These  requirements  for  nuclear  power  in 
space  must  be  satisfied  by  highly  reliable 
systems,  engineered  to  withstand  the  many 
environments  encountered*  The  additional  effect 
of  nuclear  power  on  systems  and  electronic 
payloads  utilizing  this  power  must  be 
quantitatively  determined  and  used  in  the 
selection  of  long  life  components*  Also,  the 
associated  environments  of  long  term  endurance, 
hard  vacuum,  high  temperature,  micrometeorite 
flux,  electron  and  proton  bombardment  must  be 
integrated  with  this  reactor  environment® 

More  experimental  effort  is  needed  in 
studying  the  effect  of  the  combination  of 
radiation  and  extreme  (high  and  low)  temperatures 
and  ultra-high  vacuum,  and  further  studies  are 
required  to  determine  the  effects  of  high  energy 
particles  found  in  space  on  materials.  Basic 
research  to  determine  the  mechanism  of  radiation 
effects  is  also  needed  in  order  to  develop 
suitable  methods  for  predicting  life  of  materials 
and  components  in  a radiation  field® 

The  work  at  Atomics  International  is 
directed  toward  testing  and  data  accumulation 
under  these  combined  environments®  The  program 
mil  use  the  limited  data  available  on  radiation 
and  space  effect  from  many  outside  sources  and 
from  this  testing  at  Atomics  International® 

These  data  are  being  related  to  the  reliability 
performance  ^ of  the  system  by  simplified  analyti- 
cal techniques® 


157 


The  Reliability  Problem 

The  fundamental  problem  facing  the 
reliability  analyst  is  one  of  obtaining  good 
data  on  the  effect  of  radiation*  heat  and  vacuum 
cfn  electronic  components  and  electrical  materials 
and  relating  them  to  the  reliable  life  of  the 
system.  While  a great  number  of  special  tests 
have  been  performed*  in  almost  every  case  the 
data  taken  do  not  provide  statistical  information 
on  these  environmental  factors.  Statistical  data 
are  lacking  in  terms  of  insufficient  sample  size* 
unsystematic  variation  of  components  (rating* 
manufacturing*  similarity*  and  type)*  and 
success/failure  criteria.  Gross  effects*  of 
course*  are  known;  and  if  assumptions  are  made 
about  uxiincluded  factor  effects*  quantitative 
values  can  be  described. 

The  need  to  prepare  reliability  analyses  on 
equipment  exposed  to  these  new  combined 
environments  requires  consideration  of  new 
techniques  and  a re-examination  of  present 
methods.  The  exponential  failure  law 
(H  - e -*t)  is  dependent  upon*  first*  the 
requirement  that  all  parts  in  electronic  systems 
introduce  independent  sources  of  rapid 
catastrophic  failures;  second*  the  mean  time 
between  failure  is  dependent  upon  replacement  of 
failed  parts  with  new  parts  as  soon  as  failure 
occurs;  and*  finally*  the  failures  are  random  in 
time  and*  in  general*  representative  of  the 
sustained  failure  rate  for  the  system. 

Most  of  these  conditions  are  not  met  and* 
even  if  they  were*  the  use  of  this  formula  as 
the  exclusive  measure  of  survival  probability  is 
highly  unconservative  since  only  a fraction  of 
the  total  failure  potential  is  considered.  The 
remainder  of  the  failures  are  those  resulting 
from  the  degrading  influences  of  nuclear  and 
temperature  environment.  Both  of  these 
categories  of  failure  must  be  integrated  in  some 
manner  so  that  a probabilistic  estimate  can  be 
made  of  the  life  and  performance  of  an  electronic 
component  exposed  to  this  space -radiation- 
temperature  environment. 

Reliability  analysis  of  equipment  exposed 
to  radiation*  high  temperature*  and  vacuum  is 
dependent  upon  data  properly  taken  under  these 
environments*  The  data-produclng  test  must  be 
designed  so  that  factor  effects  can  be  isolated 
or  can  be  combined  with  other  factors*  and  the 
combined  effect  determined.  Sufficient  levels 
of  each  factor  should  be  selected  in  order  that 
more  general  use  of  the  data  can  be  made  without 
recourse  to  extrapolation.  Many  industrial 
contractors  have  or  will  have  specific  test 
requirements;  and  if  these  requirements  were 
adjusted  in  terms  of  sample  size*  environmental 
levels*  or  inclusion  of  an  additional  environ- 
mental factor*  it  would  be  possible  to  satisfy 
over-all  data  requirements* 

The  3 at  telle  Memorial  Institute  at 
Columbus*  Ohio*!  has  compiled  and  edited  the 


test  results  on  electronic  components  and  systems 
that  have  been  exposed  to  nuclear  radiation. 

These  tests  were  conducted  by  a multitude  of 
contractors  who  performed  them  to  satisfy  special 
technical  requirements.  These  results  have  been 
published  in  a series  of  reports1  and*  since  they 
describe  the  majority  of  test  effort  in  terms  of 
radiation  environment  today*  they  form  the  basic 
data  for  initial  reliability  analyses.  It  is* 
therefore*  of  interest  to  examine  these  data  to 
determine  their  suitability  for  reliability 
purposes. 

An  examination  of  the  contents  reveals  that 
engineering  data  predominate  rather  than 
statistical  or  reliability  data.  This  means 
that  failure  rates  are  not  available  for 
insertion  into  a reliability  formula.  Further- 
more* sample  sizes  are  insufficient  in  most 
cases  to  establish  confidence  in  the  values  of 
the  parameters  measured. 

The  problem*  therefore*  is  to  find  a means 
of  making  maximum  use  of  the  available  data  in 
the  reliability  analysis.  The  reliability 
approach  presented  herein  makes  maximum  use  of 
published  data  and  results  from  limited  testing. 

The  Reliability  Approach 

Figure  1;  illustrates  generally  an  approach 
for  including  the  radiation  environment  into  the 
reliability  prediction  analysis. 

Gross  effects  in  terms  of  percent  change  in 
parameters  due  to  radiation  dose  Have  been 
determined  for  certain  types  of  components 
(Figure  ij.a) . These  values  are  inserted  into 
each  circuit  formulae  and  the  change  in  circuit 
output  calculated  (Figure  Ub).  This  value  is 
then  compared  with  the  circuit  failure/success 
criteria  for  a determination  of  category. 
Repetitive  selection  of  sets  of  component  values 
from  an  assumed  rectangular  distribution  of 
values  is  made*  and  in  each  case  the  circuit 
output  calculated.  This  output  is  then 
compared  with  the  circuit  failure/success 
criteria.  At  least  1000  such  sets  are  computed. 
The  result  is  a ratio  of  success  to  total  trials 
for  each  circuit  for  a specified  operating  time 
(t).  The  system  radiation  reliability  is  then 
determined  by  a series  multiplication  of  the 
individual  circuit  reliabilities.  In  turn*  the 
standard  reliability  analysis  values  are  then 
multiplied  by  the  radiation  reliability  for  a 
combined  system  reliability  (Figure  U).  A 
general  example  of  the  above  is  worked  out  in 
detail  in  Appendix  A, 

Combined  Environmental  Testing 

SNAP  testing  is  now  under  way  leading  to 
information  on  the  radiation  effects  for  use  in 
the  reliability  approach  described.  Reactor 
control  systems  and  associated  devices  located 
in  the  payload  dosage  plane  and  adjacent  to  the 
reactor  are  being  tested  in  combined  environ- 
ments* which  should  produce  data  useful  in 


158 


reliability  analyses. 

Table  I tabulates  the  results  of  preliminary 
tests  conducted  on  high  temperature  components 
developed  during  the  HOTELEG  ^ program.  These 
tests  were  conducted  to  examine  the  temperature 
extremes  characteristics. 

Tests  on  components  operating  normally  at 
the  conclusion  of  1800  hours  were  continued  for 
an  additional  2184  hours  for  a total  of  39&4 
hours.  Results  indicated  normal  operation* 

Since  these  tests  were  to  establish  preliminary 
capability,  no  radiation  flux  was  included. 

Further  testing,  which  includes  the  radiation 
environment,  is  divided  into  two  major  divisions 
of  environment:  (l)  low  flux  - low  temperature; 

and  (2)  high  flux  - high  temperature*  (See 
Table  XI.) 

The  first  environment  represents  the 
conditions  existing  in  the  shadow  of  the 
radiation  and  heat  shield;  and  the  second 
represents  the  environment  on  or  immediately 
adjacent  to  the  reactor. 

Low  flux  - low  temperature*  Transistors, 
resistors,  diodes,  capacitors,  and  magnetic 
cores  have  been  chosen  jointly  with  the 
controller  supplier  and  will  be  tested  in-pile 
at  expected  operating  temperatures  and  lO"^ 

Torr  vacuum  to  det ermine  parameter  drift  as  a 
function  of  integrated  neutron  dose  and  gamma 
dose*  An  analysis  will  then  be  conducted, 
utilising  the  drift  rates  obtained,  and  circuit 
designs  will  be  modified  as  necessary  as  a 
result  of  this  analysis. 

Breadboard  equipment,  containing  a number 
of  typical  operating  logic  modules  utilising 
parts  similar  to  the  ones  that  have  been 
previously  irradiated  and  the  associated  wiring, 
mounting  hardware,  and  encapsulate,  are  also 
being  irradiated  to  isolate  circuit  problems. 

High  flux  - high  temperature*  Tests  are  in 
progress  on  encapsulating  materials,  electrical 
cabling,  magnet  wires,  actuators,  position 
indicators,  temperature  switch  and  temperature 
sensors* 

In  each  case  insulation  resistance  to 
ground  will  be  checked  versus  core  rate  with 
temperature  of  %>GDF  to  1000 °F* 

Determination  of  electrical  insulating 
resistors  and  physical  strength  are  being 
checked  in  the  case  of  the  encapsulating 
materials. 

Components  to  be  irradiated  are  as  follows: 

1,  Electronics  parts  * 

a.  Transistors*  200  transistors  will 
be  mounted  on  one  or  more  cards. 


b.  Diodes*  30  diodes  will  be  mounted 
on  one  or  more  cards* 

c.  Resistors.  20  resistors  will  be 
mounted  on  a card  or  rack, 

d.  20  capacitors  will  be  mounted  on  a 
rack  (possibly  on  rack  with  diodes 
and  resistors)* 

e.  Magnetic  core.  $ encapsulated 
magnetic  cores  will  be  mounted  on 
a card* 

2.  Module  breadboards 

a.  Transistorized  modules.  18  circuit 
boards,  each  containing  £ typical 
modules* 

b.  Magnetic  core  modules.  6 circuit 
boards  identical  to  the  above  but 
using  magnetic  core  logic,  >111  be 
mounted  with  the  transistorized 
boards. 

Design  for  Reliability 

The  results  of  testing  and  analysis  in  many 
cases  indicate  that  alternative  means  must  be 
taken  to  provide  for  the  long-life  reliability 
of  the  components  and  sub -systems*  The 
alternatives  available  are  in  terms  of  providing 
heat  barriers,  radiation  shielding,  and 
utilization  of  devices  that  are  tolerant  of  heat 
and  radiation. 

The  use  of  shielding  in  all  terrestrial 
reactor  installations  to  protect  personnel  is 
well  known*  The  dose  levels  achieved  in  these 
installations  are  not  only  satisfactory  for 
personnel  but  also  for  electronic  devices* 
However,  the  weight  of  this  shielding  is  great 
and  can  not  be  used  for  protection  of  space 
equipment  to  the  same  dose  level.  A compromise 
system  of  shielding,  called  a shadow  shield,  is 
used  on  the  SNAP  reactor  units  and  limits  the 
radiation  dose  at  the  electronic  payload  plane 
to  a conservative  value  in  terms  of  present 
equipment  radiation  tolerance  levels*  For  the 
present,  this  shielding  weight  is  satisfactory 
but,  with  increased  power,  the  influence  of 
this  shielding  in  terms  of  increased  satellite 
weight  with  increased  reactor  power  will  become 
progressively  critical*  Figure  $ illustrates 
this  situation.  Maintaining  a fixed  radiation 
dose  at  the  equipment  plane  with  approximately 
the  same  shadow  shield  concept,  the  weight  of 
the  shielding  will  increase  exponentially  with 
logarithmic  increase  in  reactor  thermal  power* 

Radiation  tolerant  devices.  Various 
devices  which,  by  virtue  of  their  construction 
and  material  selection  are  tolerant  of  heat  and 
radiation,  are  under  study  for  reactor 
applications  at  Atomics  International.  Some  of 
these  devices  are  ceramic  vacuum  tubes, 


159 


wire-wound  resistors,  aria  thermionic  modular 
electronic  units*  The  mounting  and  integration 
of  these  units  for  useful  application  is  also 
being  pursued*  Much  work  needs  to  be  done  in 
this  area,  and  a strong  recommendation  is 
tendered  to  electronics  systems  engineers  to 
seriously  concern  themselves  with  circuits 
utilizing  these  devices  for  basic  actuation, 
sensors  and  control  systems. 

Drift  tolerant  circuits*  Hie  net  effect  of 
nuclear  radiation  on  electronic  components  is 
predominantly  that  of  parameter  drift  with  dose 
rate*  The  tolerance  of  a circuit  to  that 
characteristic  is  of  fundamental  importance 
since  many  circuits  are  dependent  upon  precise 
values  for  each  component.  Certain  circuits, 
however,  can  be  chosen  which  would  allow  a 
broad  band  of  component  values  and  still  operate 
successfully*  Nevertheless,  a sufficiently 
broad  application  of  this  approach  is  highly 
unlikely. 

In  the  three  alternatives  described,  the 
underlying  requirement  in  each  is  the  exact 
knowledge  of  the  nature  of  the  radiation  effect. 
This  Is  true  not  only  for  the  designer  but  also 
for  the  reliability  analyst. 

Conclusion 

Prediction  of  the  life  capability  and 
functioning  characteristics  during  the  component 
life,  as  well  as  failure  probability,  lies 
within  the  technical  framework  of  the 
reliability  analyst ) and  it  is  in  this  area  that 
the  usefulness  of  the  statistical  method  can  be 
demonstrated.  Binominally  or  exponentially 
based  demonstration  plans  for  long  lived  reactor 
power  equipment  are  simply  not  reasonable  in 
terms  of  time  and  money.  Therefore,  new 
techniques  are  required  both  in  analysis  and  in 
demonstration*  The  analysis  and  testing 
procedures  in  use  at  Atomics  International 
represent  one  approach.  Others  are  undoubtedly 
available*  In  any  event,  it  is  believed  that 
the  solution  will  constitute  a joining  of 
engineering  design  analyses  and  statistical 
hypothesis* 

Appendix  A 

Detail  Method  for  the  Reliability  Approach 

An  approach  to  reliability  analysis  has 
been  selected  by  Atomics  International  which 
makes  use  of  presently  available  data  and  data 
from  limited  tests*  To  illustrate  this 
approach,  a simple  circuit  with  resistive, 
inductive,  and  capacitive  loads  is  used)  and  the 
time  dependent  effect  of  radiation  on  the 
circuit  current  flow  will  be  calculated. 


§ 


U R 

.-'YYY’rT W'/WW 


U 

i & 

Wiring  Diagram 


Description:  The  function  of  this  circuit  is  to 

modify  the  input  voltage  by  means  of  electronic 
components  contained  in  the  circuit.  This 
modification  results  in  a certain  output 
current  i . When  i is  greater  than  a certain 
value  A,  Shis  function  is  satisfactorily 
performed.  However,  when  i is  less  than  a 
certain  value  B,  the  functi8n  is  not  performed 
and  a failure  has  occurred. 


COMPONENT  DESCRIPTION 

rating 

STRESS 

OPEff/RATED 

TOTAL 

FAILURE  HATE 

* 

volts 

WATT 

OTHER 

1,  CAR  BOR  COMPOSITION 
RESISTOR  -R 

1 

- 

1/2-1 

1 MEGOHM 

A 

.02 

2,  R.  Fr  CHOKE  ~L 

- 

225 

1-2 

2H 

A 

.007 

3,  ELECTfiOLTttC 
CAPACITOR  -C 

" 

200 

- 

.2 

.01 

The  purpose  now  is  to  examine  this  circuit 
in  a way  that  a prediction  can  be  made  in  terms 
of  the  probability  of  operation  after  tinae  l!tM* 
There  are  two  effects  which  must  be  examined: 

(l)  sudden  failures  due  to  electrical, 
mechanical  and  t hernial  stress,  and  (2)  degrada- 
tion failures  due  to  the  same  stresses  but  in 
combination  with  radiation.  The  main  difference 
in  the  two  effects  is  due  to  the  radiation  dose 
which,  by  virtue  of  the  accumulative  effect,  is 
time  dependent. 

Circuit  values  are  selected  nominally  to 
the  operating  rating  established  in  accordance 
with  design  reliability  goals*  This  circuit, 
therefore,  has  a probability  of  successful 
operation  equal  to  R = n = n -A  it.  The 

n = i ei 

circuit  is  now  exposed  to  a nuclear  flux  of 
(lO^n/cm^/sec).  After  103  seconds,  the  circuit 
has  accumulated  approximately  lO^nv-Q-t  neutrons 
of  a broad  energy  band.  The  effect  on  each 
component  can  be  estimated  from  the  data 
contained  in  R.E.I.C*  reports1,  in  terms  of 
percent  change  in  parameter  vs,  radiation  dose 
(sometimes  temperature  effect  is  included).  See 
Figure  6 for  example.  Limiting  boundaries  are 
noted  between  the  curves  at  a certain  radiation 
dose  for  each  sample. 


160 


COMPONENT  G0UNDARY  VALUES  (A  PARAMETER)  % CHANGE 

TIME  IN  SECONDS 

t1  = 10,000 

t2  = 100,000 

t3  = 1,000,000 

t4  = 1,800,000  j 

1.  RESISTOR 
(1  MEGOHM) 

-1 

-3.a 

-2.5 

-5.0 

-5.0 

-7.0 

-4 

-6 

2.  R.  F,  CHOKE 
(2H) 

-15 

-50 

-15 

-65 

-15 

-50 

-10 

-40 

3.  CAPACITOR 
(4/Lt/xO  j 

-5 

-20 

-5 

-30 

-5 

-10 

-10 

-40 

In  each  case,  (t^  t2,  ty  t^)  the  boundary 

values  are  changing.  The  time  factor  is  intro- 
duced because  of  the  life  prediction  requirement 5 
and  since  the  effect  of  neutrons  is  accumilative, 
the  flux  rate  data  in  Figure  6 can  be  multiplied 
by  time  in  seconds  and  the  total  damage  at  time 
(t)  determined* 

Since  many  considerations  are  inter  roe  shed 
in  these  results,  the  boundaries  are  considered 
range  values  for  a stochastic  variable  ] and, 
■without  assuming  a normal  distribution,  values 
are  selected  between  these  boundaries  using  a 
rectangular  random  table.  Each  circuit 
component  is  evaluated  in  this  manner  and  at 
time  "t^u  a set  of  component  values  is  obtained 
and  inserted  into  the  circuit  analysis*  The 
circuit  values  are  computed,  and  output  value 
obtained*  This  output  value  is  then  compared 
with  circuit  success  or  failure  based  upon 
previously  established  criteria*  At  least  1000 
repetitions  of  these  selections  are  made.  In 
each  case  the  calculated  output  is  compared 
with  this  success/failure  criteria.  The 
frequency  distribution  of  these  total  values  is 
then  examined  and  a probability  of  success 
statement  made  for  time  "t^"*  The  effect  of 
integrated  flux  dosages  for  additional  times 
(v  v v t^,  ...  t^)  is  also  determined, 

and  probability  estimates  for  these  time 
intervals  established*  (See  Table  III.) 

In  order  to  handle  the  random  catastrophic 
failure  prediction,  it  is  necessary  to  examine 
the  circuit  stress  variation  in  terms  of  change 
in  operating  to  rated  stresses  with  accumulative 
flux  dosage  (Table  IV).  For  example,  circuit 
current  is  governed  by  the  resistivity  load] 
therefore,  changes  to  the  resistive  elements 
due  to  radiation  at  each  time  interval  can  be 
noted  as  an  Increase  or  a decrease  in  operating 
circuit  current  stress.  Failure  rate  values 
can,  therefore,  be  adjusted,  using  presently 
available  curves  for  an  estimate  of  the  random 
catastrophic  failure  probability.  Both 
probability  calculations  can  be  programmed  on  a 
digital  computer  and  the  results  multiplied  for 
an  estimate  of  the  probability  of  success.  For 
each  time  interval,  the  adjusted  random  failure 
rate  is  obtained  by  noting  the  average  value 
for  the  circuit  current  (average  over  1000 
trials)  and  using  this  value  as  the  numerator 
In  the  operating/rated  ratio  in  failure  rate 
curves. 


In  estimating  the  total  probability  of 
success  (R)  of  the  circuit,  the  probability  of 
functioning  success  (Table  III)  for  each  time 
(t)  is  considered  independently  of  the  random 
catastrophic  failure  events  5 however,  system 
survival  is  dependent  at  any  time  "t"  on  the 
success  of  each  event]  therefore,  Rf  is 
multiplied  by  R^. 

The  usefulness  of  an  approach  of  this  type 
is  dependent  upon  substantial  data  gathered  in 
a systematic  manner  whereby  Individual  factors 
can  be  isolated  and  the  interactions  determined* 
This  problem,  however,  is  very  complex  since  so 
many  factors  are  involved.  The  complexity  can 
be  visualized  by  considering  the  factorial 
design  of  Table  V for  determining  the 
significant  factor  effects  for  a single  class  of 
resistors*  Table  VI  illustrates  the  additional 
possible  combinations  of  resistors  and  other 
components  which  make  this  type  of  solution  so 
complex*  On  the  other  hand,  small  changes  in 
testing  techniques  can  provide  substantial 
increases  in  data  that  would  be  useful  for 

reliability  analyses.  For  example,  consider 
Figure  7 as  reproduced  from  R.  E.  I.  C* 

Report  Wo.  10.-^  This  figure  describes  the 

flux  for  diodes.  Part  Wo*  1*JA60B  (G.E.)  at  two 
temperatures*  The  curves  are  in  sets  and 
represent  boundary  values  for  the  four  diodes 
checked  at  2$°C  and  the  two  at  150° G.  The 
usefulness  could  have  been  enhanced  markedly 
by  increasing  the  sample  size  at  each  temperature 
to  at  least  30  and  by  adding  one  additional 
temperature  point*  In  so  doing,  it  would  be 
possible  to  handle  the  data  in  such  a manner 
that  the  degree  of  certainty  in  the  values 
obtained  in  the  tests  could  be  established.  The 
additional  test  point  also  allows  accurate 
cross  plotting  because  of  the  increased  sample 
size.  Therefore,  in  each  test  contemplated, 
adequate  sample  size  and  number  of  points  should 
be  included  so  that  a broader  application  of  the 
results  can  be  accomplished. 

References 

1.  Radiation  Effects  Information  Center, 

Battelle  Memorial  Institute,  Columbus,  Ohio# 

a#  Report  Wo*  10,  "The  Effect  of  Nuclear 
Radiation  on  Semiconductor  Devices", 
April  30,  I960. 

b.  Report  Wo*  12,  "The  Effect  of  Wuelear 
Radiation  on  Electronic  Components", 
April  30,  I960. 

c*  Report  Wo*  1$,  "The  Effect  of  Wuelear 
Radiation  on  Components",  February  l£, 
1961. 

d.  Report  Wo*  18,  !IThe  Effect  of  Wuelear 
Radiation  on  Electronic  Components, 

June  1,  1961. 


l6l 


e.  Report  No*  20,  uThe  Effect  of  Nuclear 
Radiation  on  Resistors  and  Resistive 
Materials'1,  January  l£,  I960, 

Z.  North  American  Aviation,  Inc.,  NA-57 -959, 
"Bimonthly  Technical  Progress  Report  for 
Development  of  High  Temperature  Aircraft 
Electric  System",  covering  period  September, 
195>9j  to  May,  1961.  Reports  14  through  23. 
Performed  under  Air  Force  Contract  AF-33(600) 
35U8 9,  Project  No.  7-(l£-6o58)-60197. 

3.  "Aircraft  & Missiles",  May  1961. 


162 


163 


7580-1077 


SPACE  Pomp  PEQU/PE/UENTS 


(9M>j)  dBMOd  3VDIU10313 


1 6k 


CALENDAR  YEAR 


POWER  FOR  SPACE  MISSIONS 


165 


FISCAL  YEAR 


>- 

h-  oo 


X 

u 

< 

o 

on 

Q. 

OL 

< 

>- 

I— 


CD 

< 


LU 

on 


sis 

•-EJ3 

on 


o 

a: 

< 

a 

2 

< 

H 

oo 


2 

o 

H* 

< 

a 

< 

on 

on 


CD 

CD 

0 

1 

8 

lO 

h- 


CM 

co 

i 

00 

I 

in 


1 66 


00 

I 

CD 

ro 


n 

73  , 

— "0 

Hn 
<> 
> r 


^ m 
pa  n 
m h 

-i 

> o 
z -n 
n 
m 


70 

> 


-n) 

(J1 

00 

o 

2 

o 

& 

CO 

© 


FREQUENCY^ 
o 


73 

m 

n 

H 

Z*3 

25 

cs 

TO  ^ 

55 

sg 

Hm 

03  1 
C= 


167 


4 


PERCENT  CHANGE  AT  RADIATION  DOSE 


lli 

o 

2 

o 

LLI 

O 

2 

O 

LLI 

O 

2 

O 

UJ 

o 

2 

o 

UJ 

O 

2 

O 

LU 

CD 

2 

O 

2 

H 

2 

h> 

2 

H 

2 

h- 

2 

H 

2 

P 

X 

u 

Q 

< 

< 

X 

u 

< 

Q 

< 

< 

X 

u 

< 

Q 

< 

< 

X 

u 

"< 

O 

< 

< 

X 

u 

< 

Q 

< 

< 

X 

u 

< 

Q 

< 

OH 

12 

DC 

£2 

OH 

C2 

< 

X 

u 


Q 

< 


OJ 

CD 

1 

ao 

I 

in 


1N3WN0HIAN3  N0I1VIQV3 


168 


-62  7580-10494 


ESTIMATED  CHANGES  IN  RESISTANCE  AS  A FUNCTION  OF  TIME  FOR 
IOO-TO  1,000,000  OHM  CARBON  COMPOSITION  RESISTORS 


30NVlSIS3d  Nl  39NVH0  1N30  d3d  CI31VIM1S3 


00 

I 

in 


170 


TIME,  10  seconds 

"62  7580-10497 


30  v rms 
60  ~ 


171 


^2:  E.  -j 

Q.305 
Q co  z I,, 


O Oj 

ifJC£ 

q;  O • 

H co  CL 

Ij  LU 
<XU. 
2>  H-  LU 

U0H 

<x 

O LU 

^2*: 
x up 
o ^ 
;5<-l 
o-J< 
icy 


< 2 

2 o 

oyp 

«oh< 

< < tK 
U IK  UJ 
U C£  CL 
O UJ  O 


UJ^U^ 

SE°-< 

2ho. 

<=>>-, 


: IU  _J  > 
: O 11.  Hi 


_l  HI  2 
<lfi- 

LU  H;  “ 

Oil 

S w 

“HU 

LUCL2 
to  UJ  < 

UJ  U H 
IXJ2 
H UJ  co 


UJ  Z 7 III 

=>3=0^ 
00-^2 
Q H < 

§<5^ 

U.  CO  SE  CK 


UJ  o 

Uuu 

UJ  2 to 

o<< 

<HUIco 
^ i2  ^ 
< wU 
UJ  UJ  UJ  H 
JQ^OCQ 


<£ 

cl: 

X CQ  _ 
co  — rr 

UJ>S 

Q r u 

o 1 
™ -J  rg 
COvo 
1™  -ss  X 


Sui;h 
S ^ fo 

O ^ LO 


co  2 a 

a:  n 

©o' bo ! 

hO^  I 

n H x 1 


<S^UJ' 

U>£fll 


co  uj  o 
po  UJ 

Hu. 

^ Q O 
U U 2 
< co  ^ 

U<  S 


Q X 
UJ  Oo 
Hco  J 2 
WHO  u' 

^5o  5: 

uj  ^ 1 : 


172 


SNAP  TEST  ENVIRONMENTS 


L73 


7580-10488 


SIMULATED  SAMPLING  SCHEDULE 


UJ 


t/J 

LU 


< 

> 

o 

o 

< 

q: 


iu 

to 


LU 

to 


UJ 

to 


UJ 

to 


O 

<Z3 

o 

m 


UJ 


> 

O 

o 

< 

O' 


Hi 

to 


ro 

LU 


LU 

to 


LU 

to 


UJ 


UJ 

O 

CL 

O 

u 


LU 

a: 

OJ 

oc 

o 

X 

o 

X 

o 

l- 

<£> 

r 

1“ 

u 

u 

LU 

00 

to 

VO 

u_ 

< 

CL 

to 

: z : 

l 

IU 

tx 

o: 

< 

U 

Z> 

u 

fV 

CL 

J- 

o 

0- 

to 

■ 

, 

* 

=3 

UJ 

CM 

ro 

C 

O 

QC 

UJ 

-J 

CD 

< 


17k 


7580-10493 


> 

LLJ 

-I 

CO 

< 


_l 

X 

< 

X 

X 

X 

H 

X 

X 

X 

X 

O 

X 

X 

X 

X 

1- 

# 

1— 

O' 

z 

CL 

x 

X 

X 

X 

X 

X 

X 

X 

o 

u 

o 

UJ 

H 

oo 

CL 

X 

X 

X 

X 

ID 

X 

X 

X 

X 

o 

O 

< 

V 

UJ 

u 

1- 

< 

co 

DC 

0. 

X 

X 

X 

X 

UJ 

O 

X 

X 

X 

X 

QC 

u 

3 

< 

CM 

LL 

CL 

x 

X 

X 

X 

o 

o 

X 

X 

X 

X 

o 

u 

z 

<*y. 

cl 

CL 

X 

X 

x 

X 

o 

X 

X 

X 

X 

u 

UJ 

CL 

3> 

CO 

CO 

o 

_J  o 

CM 

oo 

3 CM 

h- 

<CM 

_l 

LL 

3 

OO 

oo 

LU 

CL 

co 

LU> 
O wo 

NO 

oo 

CM 

On 

m 

CD 

CO 

()NO 

CM 

On 

On 

Os 

On 

3 

CO 

UJ 

t— 

CM 

CO 

^r 

4— 

H 

CVJ 

cn 

o 


i 

s 

10 


CO 

CD 

I 

00 

in 


175 


STANDARDIZED  TEST  FORMAT  COMPONENT 


7580-10490 


TABLE  VI 
RESISTORS 


MFG 

TYPE 

RATING 

DESCRIPTION 

REMARKS 

% 

jjjjjjl 

R (VALUES) 

XXX 

CARBON  COMPOSITION 

10 

54- 1 

100 -22  MEG 

CARBON  COMPOSITION 

5 

y2-i 

ion -22  MEG 

WIRE  WOUND 

10 

54  -2 

.27  n -8200  n 

WIRE  WOUND 

5 

54-  2 

.27  n -8200  n 

MOLDED  METAL  FILM 

1 

'A  -*2 

30.1  -1.5  MEG 

MOLDED  DEPOSITED  CARBON 

1 

54- 1 

ion -249  MEG 

EPOXY  DEPOSITED  CARBON 

1 

54 

ion -2.49  MEG 

WIRE  WOUND 

POWER 

5 

5-225 

in-250K 

WIRE  WOUND 

CERAMIC 

1 

54  -100 

.in-2.5  MEG 

CARBON  FILM 

GLASS 

1 

V8-V4 

ion-1.  MEG 

CDM 

MOLDED 

1 

Vb  -54 

10n-2.5  MEG 

XXX 

ETC 

ETC 

ETC 

ETC 

ETC 

A 

r 

^ j 

TYPES  OF  COMPONENTS 

1.  ! 

RESISTORS 

2- 

CAPACITORS 

3. 

TRANSFORMERS 

4. 

RELAYS 

5. 

SOLENOIDS 

6. 

MOTORS 

7. 

SWITCHES 

6. 

CONNECTORS 

9.! 

PLUGS  & SOCKETS 

10. 

WIRE 

11. 

INSULATION 

12. 

TUBES 

13. 

SEMICONDUCTORS 

a. 

TRANSISTORS 

b-| 

DIODES 

14. 

THERMISTORS 

15. 

AND  OTHERS 

5-8-62 


177 


REDUNDANCY  AS  APPLIED  TO  ANALOG  CIRCUITRY  FOR  PROJECT  RELAX 


E.  L*  Bolden 

Radio  Corporation  of  America 
Camden,  New  Jersey 


R.  A*  Smith 

Radio  Corporation  of  America 
Astro-Electronics  Division 
Hightstown,  New  Jersey 


Summary 


u 


The  use  of  redundancy  in  analog  circuit- 
ry should  be  carefully  weighed  to  determine 
the  suitability  of  the  level  of  application 
within  a system.  Criterias  dictating  this 
level  are  circuit  unreliability,  circuit  crit- 
icality to  system's  operation,  weight,  space 
and  cost*  The  use  of  redundancy , standby 
operating  will  result  In  larger  net  gains  in 
reliability  over  the  standby  inoperative 
technique  when  automatic  switching  of  the 
latter  is  required*  When  earth  controlled 
switching  is  provided,  the  latter  technique  is 
desirable,  especially  at  the  function  level* 
The  incorporation  of  redundancy  in  Project 
Relay  results  in  a predicted  reliability  of 
*9508  increasing  the  reliability  by  a factor 
of  1*5  over  that  of  a non-re dundant  system. 


Introduction 


When  it  is  required  that  a system  be  de- 
signed to  a quantitative  reliability  figure, 
it  is  not  enough  that  parts  and  stresses  be 
kept  to  a minimum.  During  various  stages  of 
design,  In  a systems  development,  it  frequent- 
ly becomes  apparent  that  reliability  design 
goals  must  be  met  by  means  other  than  parts 
and  electrical  stress  minimizing.  Where  such 
levels  can  not  be  met  by  minimizing  tech- 
niques, then  additional  effort,  usually 
through  the  use  of  redundancy,  may  achieve  or 
surpass  the  required  levels* 

Redundancy  when  applied  has  as  its  ob- 
jective the  improvement  of  the  systems  reli- 
ability and  effectiveness*  If  very  high  reli- 
abilities are  required,  redundancy  may  encom- 
pass duplication,  triplication,  or  an  even 
higher  usuage  of  parts,  circuits  or  systems* 

The  combination  is  not  limited  to  merely 
duplication,  that  is,  one  out  of  two,  or  trip- 
lication, one  out  of  three,  but  may  he  on  a 
basis  of  two  out  of  three,  or  three  out  of  five, 
or  whatever  combination  Is  most  suitable  for 
the  particular  situation  at  hand.  This  may 
apply  at  any  system  level*  It  may  encompass 
whole  systems  or  functions,  circuits  or  even 
parts.  Factors  which  will  involve  the  level 
at  which  redundancy  can  best  be  applied  are 
weight,  electrical  performance,  matching. 


switching,  sensing,  and  etc.,  as  well  as  the 
actual  gain  in  reliability  that  can  be  achieved. 

Redundancy,  when  consideration  is  given 
to  its  application  In  analog  circuitry,  has  as 
its  goals  the  same  objectives  as  when  it  is 
applied  elsewhere.  The  actual  application, 
however,  may  yield  something  more  than  the 
paralleling  of  functions,  circuits,  etc.  For 
an  illustration  let  us  take  one  leg  of  the 
bridge  rectifier  of  a power  supply  as  shown  in 
Figure  1. 


The  string,  shown  in  detail,  encompasses 
diodes  in  series,  with  each  diode  shunted  by  a 
capacitor  and  resistor.  If  we  examine  the 
reliability  aspects  of  this  configuration  in 
detail  it  becomes  apparent  that  the  reliability 
of  the  string  is  increased  above  that  of  a 
single  diode  if  the  diode  dominant  mode  of 
failure  is  "short".  In  examining  the  string  in 
detail,  the  following  assumptions  are  made* 

Part  selection  has  been  such  that  a single 
diode  is  rated  at  the  expected  maximum  PIV 
across  the  entire  string.  The  diode  shunting 
resistance  is  of  such  a magnitude  and  wattage 
that  it  is  not  overstressed  if  exposed  to  the 
maximum  PIV  across  the  entire  string  and  its 
shunting  effect  across  the  diode  in  the  for- 
ward direction  is  negligible ; and  the  capac- 
itor can  individually  withstand  the  maximum 
total  expected  PIV.  With  the  diode  falling 
predominantly  short,  then  all  three  diode -re- 
sistors- capacitors  combination  would  have  to 
fail  before  the  string  would  completely  fail. 

A reliability  model  for  the  string  would  show 
the  following  probabilistic  configuration. 


rlF 


rllT 


rlB 


XLA 


rlC 


r2AJ 
P2B  ' 
Q2A 

P2B‘ 

Q2B 


■3A 


«3A- 

P3B' 


r3B 


'3B 


Q3B  

I3C  - 


l?9 


OlB 

1 QlB 


P2C 
Q 2B 


Where  PlA,  ?2k>  and  P3A  are  the  probabili- 
ties associated  with  all  three  surviving  when 
all  three  are  operable,  Q^A,  and  Q3A  are 
the  associated  failure  probabilities,  ?1B,  P2B* 
and  P^  the  probabilities  associated  with  two 
surviving  after  one  has  failed.  In  the  case 
of  the  diode  string,  the  failure  rate  would 
change  as  failures  occur.  The  individual 
diode  combination  failure  rate  increase  would 
be  a function  of  the  inverse  voltage  and  not 
the  forward  voltage  since  the  forward  dissi- 
pation or  stress  change  during  conduction 
would  be  negligible*  For  a single  diode  instead 
of  the  series  diode  combinations,  the  expo- 
nential failure  law  would  apply. 


That  is 


« e 


-At 


The  series  combination,  if  non-redundant 
would  still  follow  the  exponential  failure  law. 
However,  since  there  is  redundancy,  and  although 
the  individual  parts  still  follow  the  exponent- 
ial failure  law,  the  resultant  is  not  at  all 
exponential  in  nature.  It  assumes  a character- 
istic approaching  that  of  a normal  distribution. 
The  probability  of  survival  is  given  by  the 
relation. 


ps  “ P1AP2AP3A  + P1B  P2B  Q3A  + P1B  P3B  <52A  + 
P2B  P3B  Q1A  + P1C  Q2B  Q3B  + P2C  Q1B  %B  + 

P3C  ®1B  Q2B  or 


'(Aia  +^2B  + A3a>  -(AiB+A2B)t 

= e + e 

-A3At  “(  A ib  +A3BH 

(1-e  ) + e 


(1-e 


-(  X 2B+  ^3B  ^ 


(1-e 


-AiAt 


) 


0,85  when  all  three  are  operable,  0,30  when 
only  two  are  operable  and  0,75  when  only  one 
is  operable,  the  P„  of  the  string  of  three  is 
Q,9?ii,  The  reliability  improvement  is  evident 
even  though  the  levels  of  Ps  are  pessimistic, 
as  compared  with  the  0,9  figure  for  the  single 
diode.  In  practice,  the  Ps  of  the  parallel 
combination  of  each  series  element  would  be 
very  nearly  the  same  as  the  individual  diode. 
The  subsequent  string  improvement  is  then 
immediately  apparent. 

The  use  of  circuit  redundancy,  from  the 
reliability  standpoint,  has  two  criterias  for 
review  prior  to  application.  The  unreliability 
of  the  circuit  under  consideration  should  be 
considerably  worse  than  the  remaining  associ- 
ated circuits  of  an  equipment  or  a system1 s 
function  and/or  the  circuit's  criticality  to 
the  system's  effectiveness  should  be  at  a high 
level.  The  reduction  of  part  application 
levels  and  improved  component  part  reliability 
have  a tendency  to  keep  the  unreliability  of 
all  circuit  types  fairly  equal  and  has  a 
tendency  to  negate  the  first  criteria.  How- 
ever, the  circuit's  criticality  (defined  here 
as  the  degree  of  curtailment  of  the  system's 
operational  output  resulting  from  the  circuit 
failing)  is  usually  very  evident  and  can  be 
realistically  coped  with.  An  example  of  this 
circuit  redundancy  is  discussed  later  in  the 
command  control  circuitry. 

The  next  area  of  redundancy  is  at  the 
function  or  equipment  level.  Here,  the 
criteria  for  use  depends  on  the  equality  of 
the  unreliability  of  the  individual  circuits, 
the  cost  of  isolation  and  combining  for 
circuit  redundancy  vs  equipment  redundancy, 
and  the  effect  on  weight  and  space.  As  an 
illustration  of  this  application,  the  re- 
ceiver from  the  command  control  circuitry  will 
be  used. 


+ (l-e“A2Bt)  (i_e  A3Bt  ) e-Alct  + 
(l-e’A1Bt)  ( i_e  -A3B  j e -A2ct  + 

(1-e- A IB*)  (1-e  - X2Bt)  ( e -X3ct). 

It  is  apparent  from  this  Illustration 
that  reliability  can  be  enhanced  by  this 
arrangement.  In  the  illustration  the  sub- 
numerics 1A,  2A,  and  3A  refer  to  the  probabili- 
ty and  failure  rates  when  all  three  diode  com- 
binations are  operable;  IB,  2B,  and  3B  refer 
to  the  probability  and  failure  rates  when  two 
out  of  three  are  operable;  and  1C,  2C,  and  3C 
refer  to  the  probability  and  failure  rates  when 
one  out  of  three  is  operable.  If  we  assume 
for  illustrative  purposes  that  a single  diode 
has  a P , for  time  t,  of  0,9,  and  again  assume 
a Fs  for  the  diode -re sis tor -combination  of 


Because  of  the  derating  policies  en- 
voked  on  parts  application  and  since  part  com- 
plexity levels  are  nearly  identical,  the  un- 
reliability of  the  circuits  are  very  nearly 
equal  (in  this  example  approximately  0,00111), 
The  addition  of  a redundant  circuit  would  in 
effect  reduce  the  unreliability  associated 
with  a one  out  of  two  situation,  by  a factor 
of  1000  or  if  discussion  is  translated  into 
terms  of  an  effective  failure  rate  it  would 
change  from  0,151;  */lQ0Q  hrs,  to  0*0Gl5k  %/ 
100O  hrs.  However,  to  accomplish  such  an 
arrangement.  Isolation  and  combining  circuits 
would  have  to  be  Incorporated,  as  a minimal 
effort,  to  have  continuity  of  operation. 

The  cost  of  isolation  and  combining 
would  be  a minimum  failure  rate  of  0,020  %/ 
1000  hrs.  (assuming  a single  diode  would  ac- 
complish these  functions).  Since  thirteen  (13) 
circuits  are  Involved,  it  would  require  at 
least  twelve  (12)  such  networks  all  which  would 


l8l 


have  to  be  considered  as  series  reliability 
elements.  The  reliability  of  such  a configu- 
ration would  be  depicted  by  the  following: 


N^lb 


!iB_  \I21L  VJ 


\ 


JiL 


\P2M 

\ P2H  \ _ 


where  the  subscripts  A thru  M represent  circuit 
stages,  the  subcripts  1 and  2 represent  the 
redundancy  of  each  stage,  the  subscript  si 
thru  si 2 represents  the  isolation  and  combining 
stages. 

The  reliability  of  the  command  receiver 
then  is  bounded  by  a maximum  value  associated 
with  these  isolation  and  combining  circuits 
and  approaches  0*9983* 

If  two  receivers  are  operated  in  parallel 
redundancy,  isolation  is  required  at  the  in- 
puts and  isolation  and  combining  may  be  re- 
quired at  the  output*  The  input  isolation  will 
not  require  any  electrical  component  parts  but 
could  be  either  coaxial  in  nature  or  a printed 
circuit*  Either  one  will  exhibit  a negligible 
failure  rate  contribution*  However,  the 
isolation  and  combining  of  the  output  may  con- 
tribute a failure  rate  of  O.OliO  $/l0Q0  hrs* 

The  overall  reliability  of  this  configuration 
will  involve  the  product  of  the  redundant 
receivers  reliability  (0*999893  based  on  a 
failure  rate  2.012  %/l000  hr s/each)  and  the 
isolation  and  combining  reliability  (0*99972) 
giving  a value  of  0,999613  as  opposed  to 
0*9983  for  the  circuit  redundant  condition. 

Such  are  the  redundancy  techniques  ap- 
plied to  analog  circuitry  of  the  NASA  Relay 
spacecraft  electrical  system  design.  The  areas 
of  application  are  discussed  in  the  subsequent 
paragraphs  * 

NASA* s Relay 

The  system  described  is  NASA!s  Relay, 
being  designed  and  fabricated  by  the  Astro- 
Electronics  Division  of  RCA.  For  the  purpose 
of  this  paper,  it  has  been  broken  down  into 
four  major  areas,'  a)  the  system  power  supply \ 
b)  the  wide-band  repeaters,  c)  the  command 
control  circuitry j and  d)  the  telemetry  cir- 
cuitry. Each  area  will  be  broken  down  to  il- 
lustrate the  redundancy  incorporated  in  the 


design  and  the  effects  of  this  redundancy  on 
reliability  numerics* 

System  Power  Supply 


Solar  Cells  and  Diodes  - Conversion  solar 
energy  to  electrical  energy* 

Voltage  Limiter  - Limit  voltage  to  vol- 
tage regulators  for  satisfactory  regulation. 

Charge  Controller  and  Limiter  - For  limit- 
ing charging-discharge  rate  to  batteries. 

Voltage  Regulators  (High  and  Low  Power )- 
Tight  voltage  control  for  critical  circuits. 

Batteries  - Storage  for  peak  power  re- 
quirements . 

Wideband  Repeaters 

Receiver  - Receives  1725  MCS  amplifies 
and  converts  to  ^170  MC  for  drive  power  to 
TWT  Amplifier.  Contains  both  wi deb and  and 
narrowband  circuits  to  accomodate  television 
and  telephone  signals,  respectively.  Also  in- 
cludes a i|080  beacon  to  aid  in  ground  tracking 
of  the  wideband  antenna* 

T.W.T  Amplifier  - Power  Amplifier  b050- 
ll2£0  MCS  11  watts  output,  33db  gain  at  5*5  mw 
input  from  receiver. 

T,W*T  Power  Supply  - Voltage  developed 
for  the  T.W.T  Amplifier, 

Command  Control  Circuitry 

Command  Receiver  - Reception  of  VHF  sig- 
nal for  commands  translate  to  an  audio  out- 
put* 

Demodulator  - Detection  of  pulse-duration- 
modulated  5.1i5l  KC  tone  and  regenerate  a noise - 
free  PDM  signal* 

Decoder  - Translates  PDM  pulses  into  "0", 
"1%  and  sync  pulses  which  operate  a magnetic 
shift  register  decoder  providing  20  output  com- 
mands. 


Control  Box  - Accepts  decoded  commands 
and  performs  the  function* 

Telemetry  Circuitry 

Encoder  - Acceptance  of  telemetry  and 
special  experiment  data  conversion  into 
digital  data  for  transmission. 

Transmitter  - Provided  necessary  RF  power 
for  tracking  and  transmission  of  encoder  or 
horizon  scanner  data* 

Modulator  Switch  - Acceptance  of  horizon 
scanner  FM  subcarrier  or  encoder  output  for 
modulating  transmitter  RF  power. 

Horizon  Scanner  - Provide  pulse  data  for 


182 


Receive  Transmit 

Antenna  Antenna 


NASA's  Relay- 


183 


Solar 
cells  & 
Diodes 
SC 


Voltage 

Limiter 

VL 


Battery  Charge  & 
Control  Circuit 

BCCl 


Battery  Charge  & 
Control  Circuit 

BCC2 


Battery  Charge  & 
Control  Circuit 

" BCC3 


High  Power 
Regulator  #1 
HPR1 


T 


To 


Wideband 
I Repeater  #1 


High  Power 
Regulator  # 2 
HPR2 


To 


| Wideband 


Low  Power 
Regulator 
LPR 


Low  Voltage 
Sensor 


I 

I | Repeater  # 2 

!!  . 

71  To 

r Radiation 
| I Experiments 


Signal 


Out  to 
Command 


Control 


System  Power  Supply 


18k 


Solar  Panel  Interconnections 


185 


#1  Inputs  for  command  functions  from  Command  Control  Box  output  channels. 


Wide-band  Repeater 


186 


indication  of  spacecraft  attitude  to  horizon. 

Sun  Sensor  (GFE)  - Frovide  output  pulse 
indicating  attitude  to  sun* 

Magnetic  Torque  Coil  - When  provided  with 
current  flow  develop  magnetic  field  for  atti- 
tude control. 


wise  insignificant  to  the  system.  Acceptable 
system  operation  then  is  defined  as  only  one 
failure  per  cell  block  will  be  acceptable 
for  satisfactory  operation*  On  the  basis  of 
this*  then  eleven  (11)  out  of  twelve  (12) 
cells  in  every  block  must  survive  the  operation- 
al mode.  This  can  be  adequately  described  by 
the  binomial  expression 


Precession  Damper  - Provide  dampening  to 
prevent  tumbling  of  spacecraft  in  orbit. 

The  equipment  listed  above  when  integrated 
into  a system  is  capable  of  receiving  and  re- 
transmitting either  video  information  and 
voice  in  one  direction  or  two-way  voice  by  the 
wideband  subsystem  and  telemetry*  special 
experiment  and  attitude  control  data  by  the 
telemetry  subsystem.  The  block  diagram  il- 
lustrating systems  operation  is  shown  as 
Figure  2* 

Systems  Power  Supply 

Figure  3 illustrates  the  block  diagram 
of  the  systems  power  supply.  Four  areas  of 
redundancy  are  incorporated  in  this  design; 
the  solar  cells*  the  battery  charge  and  con- 
trol* the  high  power  regulators  and  the  low 
voltage  sensor.  There  are  two  power  output 
points  provided  for  the  equipment*  The  reg- 
ulated output  is  fed  by  both  the  solar  cells 
and  the  battery  sources*  Whereas  the  unreg- 
ulated output  is  fed  nominally  from  the  bat- 
tery sources  alone.  However,  when  the 
battery  voltage  is  low  an  emergency  path  has 
been  provided  between  the  first  and  second 
outputs. 

For  redundancy  in  the  solar  cell  area*  a 
series-parallel  wiring  scheme  allows  failures 
to  occur*  either  shorts  or  opens,  without 
seriously  jeopardizing  the  capability  of  pro- 
viding the  necessary  system  power.  Figure  h 
illustrates  the  inter-connection  wiring  of 
these  cells  on  a panel  basis.  Normally  three 
(3)  elements  of  four  (l*)  parallel  cells  are 
connected  in  series  in  each  block  of  cells. 


p1?  q°  ♦ 12P11  ql 


or  0.998120  + 0.0015814  ” 0.999712  where  P 

s 

of  each  solar  cell  is  0*99825* 


Now  consider  the  design  to  incorporate 
no  additional  power  delivery  capabilities 
but  designed  to  provide  the  exact  power  re- 
quirements. The  failure  then  of  any  cell  be- 
gins to  reduce  the  current  delivery  capabili- 
ties. Under  these  conditions*  then  a single 
failure  would  be  classified  as  a system  failure 
and  the  probability  of  survival  of  the  solar 
cells  would  be  directly  reflected  by  the  sum- 
mation of  the  individual  cell  failure  rates* 

The  second  area  of  redundancy  is  a com- 
plete functional  one  for  one  redundancy  in  the 
battery  charge  and  control  circuitry.  Here 
three  (3)  circuits  have  been  provided  where 
any  two  of  the  three  will  provide  sufficient 
operation  provided  the  spacecraft  is  not  re- 
quired to  operate  extensively  during  a dark 
period.  The  circuitry  consist  of  a comparator 
and  series  regulator  network  which  controls 
the  charging  rate  to  the  battery  packs*  When 
the  battery  voltage  is  25  or  above  and  with 
normal  input  voltage  applied  the  charging  rate 
is  between  0.5  to  0.65  amperes.  With  voltage 
under  25  volts  and  normal  input  the  charging 
rate  is  controlled  to  a trickle  rate  of  ,05  to 
,0?  amperes.  Since  two  out  of  three  are 
necessary,  a direct  comparison  can  be  made  to 
indicate  the  reliability  gain  of  this  redun- 
dancy. Again  the  applicable  expression  for 
determining  the  numerics  is  the  binomial  ex- 
pression which  gives  a value  for  the  2 out  of 
3 condition  of  0,9993  and  the  value  of  0,985^ 
for  2 out  of  2. 


There  are  five  (5)  blocks  of  cells  for 
each  leg  and  fifteen  (15)  legs  on  the  solar 
cell  system.  The  following  numerical  calcu- 
lations shows  the  benefit  of  using  such  a de- 
sign, Looking  at  Figure  ii*  to  a cell  block* 
the  loss  of  any  individual  cell  can  have  one 
of  two  effects.  If  the  cell  shorts  then  the 
voltage  contribution  of  that  cell  block  is 
lost.  If  the  cell  opens  the  current  contri- 
bution of  that  cell  is  lost.  Since  the 
system  configuration  delivers  a nominal  35 
volts  when  only  28  volts  is  required*  the 
voltage  loss  will  be  insignificant  and  will 
remain  insignificant  due  to  the  parallel  legs* 
Likewise  the  current  contribution  will*  if  an 
open  occurs*  be  lost  but  since  a maximum  loss 
of  power  from  2050  cells  can  be  accepted*  the 
eighty  cells  that  are  being  treated  are  like- 


The final  point  of  redundancy  In  the 
system  power  supply  consists  of  two  high  power 
voltage  regulators*  one  each  for  the  wide-band 
repeater  stages.  This  is  not  a one  for  one 
redundancy  but  each  regulator  is  a series 
element  in  the  repeater  stages  where  complete 
subsystems  are  provided  on  a one  to  one  basis. 
This  is  illustrated  In  Figure  5. 

Wide-band  Repeaters 

The  wide-band  repeater  is  a complete 
subsystem  composed  of  the  receiver  and  the 
high  power  transmitter  for  handling  either 
TV  tranmission  between  continents  or  for 
handling  two  way  voice  or  telegraphy  trans- 
mission* Figure  5 shows  the  system  operation- 


187 


Receiver  Local 
Oscillator 
Multiplier  Chain 


Filter  — Mixer 


Multiplier 


Wideband  Receiver 


188 


Transmitter  Local 
Oscillator 
Multiplier  Chain 


al  block  diagram  illustrating  the  complete  one 
for  one  redundancy  on  a subsystem  basis.  It  is 
controlled  in  such  a manner  that  any  short 
occurring  after  the  series  regulator  network 
can  be  eliminated  by  an  off-command. 

Other  redundancy  aspects  are  in  evidence 
in  the  wideband  receiver  (see  Figure  6),  An 
IF  switch  in  the  receiver  allows  the  unit  to 
process  either  the  single  way  TV  and  voice 
transmission  or  the  two  way  voice.  The  two 
receivers  provide , from  the  IF  switch  to  the 
adder  circuit , additional  reduced  modes  of 
operation.  The  probability  of  having  at  least 
single  way  TV  and  voice  transmission  or  two  way 
voice  transmission  is  associated  with  having 
1 out  of  k of  these  circuits  working  plus  the 
remaining  portions  of  the  receiver  as  series 
elements.  The  possibility  of  having  both 
single  way  TV  and  voice  transmission  and  two 
way  voice  transmission  become  1 out  of  2 for 
each  type  of  circuit  plus  the  remaining 
portions  of  the  receiver  as  series  elements. 

One  other  area  of  part  redundancy  is  in- 
corporated in  the  TWT  power  supply  high  voltage 
rectifier  elements.  Here  the  rectifier  diodes 
were  purchased  in  such  a manner  to  obtain  ad- 
ditional series  diodes  for  redundancj'. 

The  high-voltage  diode  rectifiers  are  com- 
posed of  series  elements  to  withstand  the  peak 
inverse  voltages  of  such  circuits.  In  order  to 
assure  adequate  performance  from  these  units, 
the  higher  FIV  rated  units  have  been  used.  The 
units  selected  are  rated  at  1*000  and  5000  PIV, 

To  obtain  a realistic  failure  rate  for  these 
diodes,  the  effect  of  the  redundant  series 
elements  was  considered.  Analyzing  the  smaller, 
LOGO  volt  unit,  there  are  ten  diodes  in  the 
series  string,  each  rated  at  1*00  PIV.  The 
operating  reverse  voltage  of  the  circuit  in- 
volved is  1650  volts,  which  requires  only  5 
series  elements.  The  second  five  are  redundant. 
However,  to  keep  a voltage  derating  factor  on 
the  PIV,  seven  diodes  are  considered  to  be  re- 
quired . Then  three  (3)  diodes  can  fail  due  to 
shorting,  without  reducing  the  peak  inverse 
capabilities  to  the  derating  level.  The 
reliability  then  can  be  described  in  terms  of 
the  probability  that  three  of  the  series 
elements  will  fail.  This  Is  described  by  the 
sum  of  the  probabilities  of  0,  1,  2,  or  3 fail- 
ures occurring  and  can  he  calculated  by  using 
the  binomial  expression*  If  it  is  assumed  that 
the  probability  of  failure  for  each  diode  re- 
mains the  same,  then  the  total  probability  of 
getting  three  or  less  failures  Is  0.99977.  Then 
the  effective  failure  rate  associated  with  each 
leg  of  the  rectifier  circuit  Is  .0026  %/l00Q 
hrs.  or  0,003  percent.  This  is  the  failure 
rate  used  to  describe  the  redundant  diodes. 

Command  Control  Circuitry 


mand  signals.  This  is  accomplished  in  the 
block  diagram  shown  in  Figure  7*  This  diagram 
is  a complete  two-redundant  configuration  of  the 
subsystem  utilized  in  this  project.  The  redun- 
dancy utilized  Is  standby  active.  Though  the 
basic  reliability  gain  is  less  than  that  with 
standby  inactive,  the  net  gain  is  greater  since 
the  standby  active  negates  the  need  for  sensing 
and  switching  and  their  additional  unreliabili- 
ties as  would  be  required  in  a standby  inactive 
redundancy  configuration. 

For  reliability  comparison  purposes  a 
non-redundant  subsystem  is  shown  in  Figure  8, 
Utilizing  the  same  functional  building  block 
as  in  the  two-redundant  configuration,  the 
reliability  gain  or  reduction  of  unreliability 
can  be  easily  ascertained. 

Consider  first  the  block  diagram  of 
Figure  8.  From  this  figure,  the  reliability 
diagram  of  Figure  9 has  been  constructed.  In 
this  configuration,  the  reliability  of  the  sub- 
system is  dependent  upon  the  product  of  the 
individual  function  reliabilities.  Thus,  for 
this  configuration,  the  reliability  is  no 
better  than  the  most  unreliable  function  and  is 
substantially  less  than  this  in  practice  since 
no  function  has  a reliability  of  unity.  The 
subsystem  mathematical  model  takes  on  the 
form 


P = P(t)  . F(t)  . P(t) 

Non-Redundant  RF  L.0,  Mixer 
Command  Control 


p (t)  . p ct) 

IF  Strip  Demodulator 

where  P^t).  P^t). 


P (t) 

Decoder 

* P (t) 

IF  Strip 


P(t) 

Rcvr 


The  probabilities  of  survival  for  30  days 
(t^=  720  hours}  were  determined  for  those  control 
functions  required  to  operate  continuously. 

These  are  shown  where  t^  appears  as  the  in- 
dependent variable.  For  those  functions  on 
a cyclic  basis,  a 10#  duty  factor  has  been 
estimated  as  being  applicable.  Those  functions 
are  shown  by  the  time  function  t , Thus  tp  - 

tj/LO.  2 

The  non- redundant  control  configuration 
utilized  these  times.  The  probability  of  sur- 
vival for  the  command  control  receiver  function 
up  to  and  Including  the  IF  stages  was  estimated 
at  99 ml 9%  for  30  days.  The  demodulator  function 
was  estimated  at  98.60#  probability  of  survival 
for  30  days  and  the  decoder  at  97.21#  for  30 
days  at  the  10#  duty  factor.  The  probability  of 
survival  of  the  non-redundant  command  control 
through  the  decoder  function  {not  including  "GE 
gates" } then  is  95.588#. 


The  command  control  is  a complete  sub- 
system of  Project  RELAY  whose  function  is  the 
reception,  demodulation,  and  decoding  of  com- 


189 


Gated  Decoded 
Outputs  (10) 


De- 

L/UUCl 

1 

'OR  Gates" 


190 


RF 

Amp. 


Gated 

Decoded 

Outputs 


191 


p (t) 

Receiver 


192 


are  required  for  completing  the  reliability  diagram. 


193 


I / 

p (t) 
Rcvr.  1 


P(t) 

Rcvr.  1 


/ 


p(t) 
Demod  1 


P(t) 

Decod  1 


i 


19h 


Consider  now  the  command  control  sub system , 
the  two  redundant  configuration,  as  depicted 
in  Figure  7*  This  subsystem  incorporates  re- 
dundant receive  and  demodulate  functions  and 
redundant  decode  functions.  Also  each  of  the 
ten  decoded  outputs  is  channeled  through  a 
redundant  pair  of  ltQH  gates"  * The  reliability 
diagram  for  this  subsystem  is  shown  in  Figure 
10*  In  order  to  eliminate  sensing  and  switch- 
ing functions  that  are  generally  necessary 
for  redundant  configuration,  an  antenna  coupler 
has  been  utilized  to  isolate  the  inputs  from 
each  other,  yet  allow  each  receiver  to  be 
indepently  operable  from  a common  antenna.  The 
demodulated  receiver  outputs  are  fed  through 
appropriate  isolation  to  both  decoders  giving 
a both -either- or  redundant  arrangement. 
Similarly,  the  decoded  outputs  are  also  both- 
either-or  through  paired  OR  gates.  With  this 
arrangement,  all  functions  operate  simulta- 
neously and  there  exists  no  requirement  for 
sensing  or  switching.  A failure  along  one 
channel  or  leg  is  not  reflected  into  the 
system  because  of  the  unidirectional  character- 
istics of  the  various  forms  of  isolation. 


From  the  reliability  diagram  in  Figure  10, 
the  mathematical  model  takes  on  the  form  (not 
including  the  redundant  OR  gates ): 


p (t) 
Redundant 
Command  Rcvr, 


p(%) 

Ant. 

Cpl. 


i-d-p{t2) 

Decoder 

#1 


t‘ 


(l-P(t))  (1-P(%)) 
Rcvr  Rcvr 

#1  #2 


] 


l~P(t2)  ) 
Decoder 

h - 


p(t2) 

Coupler 
(demod- 
dec ode ) 

The  probability  of  survival  of  the  redun- 
dant configuration  yields  a probability  of 
approximately. 99* 86%,  This  consists  of 
(1-h.hl  x 1CT6)  x 100$  for  the  redundant 
receiver  portion,  99,92%  for  the  redundant 
decoder  portion  and  99*9h%  for  the  demodulator- 
decoder  coupler.  As  can  be  noted,  the 
probability  of  survival  for  30  days  has  been 
increased  from  95,588#  to  99, 86$,  This  cor- 
responds to  a 31*5  to  one  reduction  in  system 
unreliability.  The  antenna  coupler  has  been 
considered  to  contribute  negligibly  to  system 
unreliability.  It  is  of  printed  circuit 
construction  and  contains  no  active  components 
and  relies  principally  upon  its  geometry 
which  is  rigidly  fixed  for  its  performance. 

As  stated  earlier,  reliability  improve- 
ment can  be  gained  through  redundancy  utiliz- 
ing the  inoperative  standby  mode  and  activating 
the  redundant  unit  only  when  required.  Assuming 
initially  a zero  failure  rate  for  the  sensing 


and  switching  mechanisms  the  reliability  model 
takes  on  the  configuration  shown  in  Figure  11 
and  the  mathematical  relation  as  follows: 


F(t)  redundant,  standby,  inoperative 

p (t)  +CA  ,t)(p  (t) 

Rcvr  1 Rcvr  1 Rcvr  2 


3 


E 


(t)  + (A  .t)  (P  (t)) 

Demod  1 Demod  1 Demod  2 


lP 

u 


(t)  + ( A .t)  (p 

Decoder  1 Decoder  1 Decoder  2 


3 

3 


Utilizing  the  probability  of  survival  for 
the  various  command  control  functions  gives 
the  following: 


F(t)  -| 

p(t)  d+At) ] 

Redundant 

i_  Rcvr.  J 

standby. 

Inoperative 

-I  1 

r n 

p(t)  d+^t) 

p(t)  (i  + At) 

L Demod*  J 

1-  Decoder  -J 

P{t)  - P(t)  j P(t)  ° P(t>  s 
Rcvr.  Rcvr.  Demod.  Demod. 

#1  n a n 


P<t)  - P(t) 

De  c oder  De  coder 

» 1 #2 

The  reliability  of  P of  the  redundant 
standby  inoperative  command  control  exclusive 
of  the  sensing  and  switching  is  99*999%*  Al- 
lowing for  the  necessary  sensing  and  switching 
reduces  the  probability  of  survival  for  this 
subsystem  to  a level  substantially  equal  to 
that  of  the  product  of  the  probability  of  sur- 
vival of  the  required  sensing  and  switching 
elements.  Since  the  receiver  demodulator  and 
decoder  functions  have  a probability  approach- 
ing unity  over  the  interval  of  time  (t),  it  is 
apparent  from  the  3 cases  illustrated  that  the 
greatest  net  reliability  gain  can  be  achieved 
using  the  operate  standby  redundancy. 

The  outputs  from  the  two  decoders  are  fed 
to  the  command  control  box  to  performing  com- 
mand functions.  The  most  critical  circuits 
in  the  control  box  are  the  two  voltage  regula  - 
tors  which  are  common  to  each  control  channel, 

A failure  in  either  of  these  circuits  causes 
the  complete  loss  of  spacecraft  control. 
Therefore  complete  parallel  redundant  regulators 
have  been  provided  as  illustrated  in  Figure  12* 
Review  of  the  circuit  illustrates  that  combina- 


195 


tions  of  particular  failure  modes  are  necessary 
to  cause  the  regulator  voltage  to  exceed  its 
useful  range*  It  will  be  noted  that  the  most 
critical  failure  mode  in  the  regulator  is  the 
open  circuit.  Should  a component  part  open 
in  each  regulator  circuit  this  would  cause  the 
loss  of  the  output  voltage.  However,  the  open 
failure  is  usually  contributable  to  overload 
stress  conditions  that  occur  as  the  results 
of  shorts  occuring  in  other  series  elements 
or,  in  the  case  of  the  semi-conductor  devices, 
a result  of  transient  voltage  conditions  that 
exceed  the  mamimum  ratings  of  the  part.  Both 
overload  conditions  such  as  this  have  been  con- 
trolled by  careful  selection  of  component 
parts  and  their  application. 

Should  or  Q2  fail  in  a shorted  condition 
collector  to  emitter  the  load  resistors  are 
capable  of  absorbing  the  additional  voltage 
drop  without  overloading.  The  10  watt  zener 
will  absorb  the  additional  current  loading  and 
still  remain  within  its  zener  voltage  and 
power  dissipation  rating.  Effective  control 
of  the  voltage  will  be  maintained  under  these 
conditions.  Further  analysis  will  indicate 
that  it  requires  three  components  failures  by 
short  in  a single  circuit  before  the  regulator 
will  cause  a system  malfunction.  The  reliabil- 
ity numerics  for  the  circuit  are  based  however 
on  the  worse  case  condition  of  one  component 
in  each  regulator  will  fail  due  to  opens.  The 
redundancy  decreases  the  probability  of  failure 
from  3-5  chances  in  1000  to  2.0  chances  in 
10,000. 

Twenty  command  channels  are  provided  by 
the  control  box  which  provides  individual  "on’* 
switching  to  each  redundant  and  single  element 
in  the  system.  The  "off"  commands,  for  both 
wideband  repeaters  and  telemetry  transmitters 
are  coupled  together,  primarily  due  to  lack  of 
command  signals.  Loss  of  either  of  these  cir- 
cuitswould  allow  the  associated  equipments  to 
remain  in  the  "on"  condition.  This  problem 
is  not  as  severe  as  it  first  looks  since  the 
telemetry  transmitters  only  draw  250  milliwatts 
each  and  the  wideband  repeaters  which  draw  75 
watts  each  are  provided  with  other  cut-off 
means.  This  emergency  cut-off  is  the  low  vol- 
tage sensing  network,  mentioned  earlier  in  the 
power  supply,  which  generates  and  feeds  a 
negative  pulse  through  the  "on"  control  cir- 
cuitry thus  turning  the  series  regulators  to 
the  "off"  position. 

In  addition  to  this,  loss  of  RF  energy  in 
the  wideband  receiver  generates  an  additional 
turn  "off"  pulse  to  the  series  regulators.  Loss 
of  any  of  the  other  command  circuits  will,  of 
course,  remove  the  associated  equipment  from 
use  but  due  to  the  redundancy,  this  will  only 
reduce  the  systems  effectiveness. 


Telemetry  Circuitry 

The  telemetry  subsystem  includes  the 
experimental  and  telemetry  data  encoder,  the 
horizon  scanner  and  two  telemetry  transmitters. 
One  of  the  transmitters  will  be  utilized  the 
majority  of  the  time  as  a tracking  beacon  and 
the  other  will  be  utilized  to  transmit  either 
the  encoder  or  the  horizon  scanner  data.  This 
set  of  transmitters  have  been  considered  as  a 
redundancy  configuration  since  as  long  as  one 
transmitter  survives,  the  data  and  tracking 
function  can  be  time  shared.  The  time  sharing 
programming  can  be  accomplished  from  ground 
at  the  discretion  of  operating  personnel.  This 
does  reduce  the  system1  s effectiveness  but  it 
does  not  cause  complete  abortion  of  the 
telemetry*  transmission. 

Conclusions 

The  incorporation  of  redundancy  within 
Project  Relay  improves  the  probability  of 
mission  success  for  the  complete  communication 
system  to  0.9508.  The  wideband  TV  and  telegra- 
phy transmission  subsystem  to  0.9935  and  the 
telemetry  transmission  subsystem  to  0.953U* 
These  values  represent  gains  of  1.5>  11.7, 
and  2.76,  respectively  over  that  of  the  non- 
redundant  counterpart.  Table  1 is  a tabulation 
of  both  the  non-redundant  and  redundant  areas 
to  illustrate  the  reliability  gain. 


197 


Table  1 


Circuit N on-Redundant  Redundant 


System  Power  Supply- 
Solar  Panels 
Voltage  Limiter 

Battery  Charge  and  Control  Circuit 
Series  Diodes  to  Unregulated  Bus 

Command  Circuitry 

Command  Receiver  and  Demod. 
Coupling  Circuit 
Decoder 

Telemetry  Circuitry 
Encoder 

Horizon  Scanner  & SCO 
Modulator- Encoder  Switching 
Telemetry  Transmitter 

Wide -band  Transponder 
Regulator 
On- Command 
Receiver 
TV-Phone  Switch 
2 Minute  Timer 
Transmitter 
TV-Phone  Drive 
Off- Command 

Communications  System 


0.981b 

0.9961 

0.9997 

0.9997 

0.9972 

0.9972 

0.985b 

0.9993 

0.9991 

0.9991 

0.9525 

0.9978 

0.980 

0.9996 

0.999b 

0.972 

0.9992 

0.9375 

0.9570 

0.9716 

0.9716 

0.987b 

0.987b 

0.9957 

0.9957 

0.9806 

0.9806 

0.9912 

0.9996 

0.9985 

0,9998 

0.995 

0.9999 

0.9996 

0.9987 

0.9998 

0.9999 

0.9266 

0,95 

198 


PREDICTING  SPACE  MISSION  SUCCESS  THROUGH  TIME-STRESS  ANALYSIS 


fas. 


I,  Boshay  and  H.L,  Shuken, 

Space ^General  Corporation,  El  Monte , California 


( yJl  ^ Abstract 

A technique  of  reliability  prediction  is 
introduced  which  encompasses  the  review  of  ve- 
hicle components,  their  periods  of  active  and 
passive  performance,  and  the  schedule  of  opera- 
tional stresses  involved  in  the  mission*  This 
methodology  is  applied  to  Able star  space  program 
upper  stage  vehicles;  where  component  reliabili- 
ties are  established  from  prior  experience  using 
ground  test  criteria.  This  is  interpreted  as 
the  unity  stress  level;  upon  which  basis  the  re- 
liability of  the  vehicle  is  constructed*  It  is 
accomplished  by  tracing  each  significant  vehicle 
function  and  accompanying  operational  time- stress 
through  the  progress  of  the  intended  vehicle  mis- 
sion, After  the  vehicles  are  fabricated;  com- 
parisons are  made  of  the  prior  published  predic- 
tions and  subsequent  tests  on  the  actual  vehicles 
The  results  are  seen  to  be  very  encouraging  for 
further  application  of  this  technique. 

The  flight  proven  propulsion  reliability 
is  found  to  correlate  with  predicted  values  with- 
in 1$  differential-  The  newly  developed  elec- 
tronic portions  do  not  correlate  as  well;  i.e, 
vary  up  to  10$.  However;  there  are  specific 
problems  that  point  to  reasons  these  items  are 
not  within  state-of-the-art  range  of  expectancy. 

The  details  of  the  analysis  of  propulsion 
system  and  electronics  portions  of  the  vehicle 
are  given.  These  include  establishing  failure 
rates;  operational  stresses  and  the  resultant  re- 
liability calculations  for  two  pre-defined  levels 
of  mission  success.  An  appendix  is  provided  dis- 
closing the  determination  of  confidence  limits 
and  the  calculation  of  same*  Twelve  tables  are 
included  listing  failure  expectancies  of  propul- 
sion and  electronic  components;  duration  of  oper- 
ational time  stresses;  functional  breakdown  of 
Able star  stage;  list  of  critical  items  and  their 
failure  rates,  expected  failure  rates  under  non- 
firing tests  and  failure  rates  of  components  ex- 
perienced in  Able star  systems  produced  subsequent 
to  the  pre -hardware  prediction. 

Defining  the  Objectives 

An  analysis  was  made  of  the  reliability 
of  the  Able star  stage  based  on  the  design  para- 
meters and  available  time-related  failure  data 
on  propulsion  and  airborne  electronics  component 
parts  prior  to  assembly  of  the  first  complete 
system  in  i960. 

Reliability  was  defined  in  accordance 
with  AFBM  Exhibit  58-10;  Reliability  Program  for 
Ballistic  Missile  and  Space  Systems;  which 
stated: 


"Reliability  - The  probability  that  an 
item  will  operate  within  specified  limits  for  the 
time  and  operating  conditions  specified;  utili- 
zing support  equipment  and  procedures  in  the  man- 
ner intended, " 

The  "specified  limits"  referred  to  in 
the  above  definition  of  rel lability  are  defined 
by  the  Model  Specification  or  manufacturer^ 
quoted  specification  limits.  Use  of  supporting 
equipment  and  procedures  implies  that  the  ve- 
hicle will  he  in  perfect  functioning  condition 
at  the  time  of  launch.  Although  performance  out- 
side specification  limits  is  construed  herein  as 
failure  (unreliable);  it  should  be  noted  that 
specifications  generally  allow  considerable  safe- 
ty margin.  Therefore;  flight  abort  will  not  nec- 
essarily be  the  result  of  operation  outside  of 
specified  limits. 

For  the  purposes  of  this  analysis;  the 
Ablest ar  stage  is  considered  to  be  composed  of 
two  different  major  systems ; the  AJ10-1Q^  pro- 
pulsion system  and  the  Abies  tar  Forward  Section.* 
Since  the  coast  times  for  the  Transit  2-B  and 
Courier  1-B  are  different;  a separate  reliability 
estimate  was  made  for  each.  Also*  it  is  of  in- 
terest to  find  (l)  the  probability  of  all  parts 
functioning  in  accordance  with  specifications;  so 
that  the  flight  may  he  called  "perfect";  and  (2) 
of  finding  the  probability  of  all  "essential" 
parts  functioning  in  accordance  with  the  specifi- 
cations for  the  mission  functions;  so  that  the 
flight  may  be  called  acceptable.  Table  A shows 
the  above  mentioned  reliabilities  with  95$  con- 
fidence limits.  The  calculation  methodology  and 
these  estimates  are  described  in  detail  below, 
and  in  the  Appendix.  Comparison  of  these  predic- 
tions with  reliability  calculations  from  ground 
test  duty  on  the  first  stage  produced  per  Table  B 
indicated  the  approach  was  valid  for  prediction 
on  a single  vehicle  basis.  Further  substantia- 
tion was  revealed  as  more  vehicles  were  produced 
and  launched  (see  Figure  l). 

Basis  of  Analysis 
Method  of  Analysis 

The  reliability  predictions  reflected  in 
this  analysis  pertain  to  inherent  design  charac- 
teristics of  the  Able star  vehicle.  This  does 
not  include  aspects  of  applications  integrity 
hazards  in  the  engineering;  fabrication  or  field 
handling  operations.  It  is  anticipated  that 
there  is  some  probability  such  factors  will  de- 
grade the  inherent  reliability;  however,  their 
effects  are  the  considerations  of  the  monitoring 

^Exclusive  of  Advanced  Guidance  System 


199 


program  desc  ,d  in  the  latter  part  of  the  pa- 
per. 

Inherent  reliability  calculations  for 
this  study  are  based  on  constant  hazard  time 
stress  conditions.  This  follows  from  consider- 
able experience  with  ballistic  missiles  and 
space  vehicles,  which  has  indicated  that  part 
failure  may  be  equally  likely  to  occur  during 
any  time  in  the  vehicle  flight  while  the  parts 
are  under  stress.^  With  this  constant  hazard 
condition  and  the  time  stress  periods  of  the 
operating  components  the  low  failure  probabili- 
ties found  are  associated  with  the  Poisson  dis- 
tribution of  times  to  failure,  T: 


where:  M is  mean  time  to  failure 

t is  the  operational  time  stress 

For  the  non-failure  condition  we  define  the  re- 
liability model  as: 


where  f is  the  failure  rate  which  is  defined  in 
the  same  time  units  as  t. 

Source  of  Failure  Rates 

The  Failure  Rates  listed  in  the  fourth 
column,  ”No.  of  Failures  per  103  Hours  in 
Manned  Aircraft”  of  Table  1,  ”Failure  Rates  of 
Electronic  and  Associated  Parts”  are  derived 
from  Fire  Control  System  equipment  failure  data 
during  10,000  system  hours  of  flight  operation. 
Failure  rates  on  the  propulsion i system  were  ob- 
tained during  static  test  firings  and  during  pro- 
pulsion system  checkout  tests.  These  failure 
rates  are  listed  in  Table  2.  For  the  Unity 
Stress  Level*  during  powered  flight  and  coast, 
and  for  Ref.  (l)  Stress  Level2  during  the  coast 
period,  this  system  is  assumed  to  be  under  the 
same  environmental  stresses  as  a manned  aircraft. 
Ground  test  data  on  system  performance  of  the 
same  components  in  other  vehicles  was  used  to 
estimate  the  failure  rate  of  the  Able star  stage 
during  first  and  second  stage  burning  time. 
Component  part  failure  rates  for  parts  used  in 
the  Able star  stage  are  shown  in  the  discussion 
that  follows  below,  and  in  Tables  4,  6,  and  7* 

Reliability  Levels  and  Stress  Factors 

The  choice  of  the  Unity  Stress  Level 
stems  from  the  uncertainty  in  accepting  stress 
level  factors  from  reference  sources.  Since 
these  factors  were  derived  from  systems  which 
are  not  duplicated  in  the  Ablestar  configura- 
tions, it  follows  that  these  factors  cannot  be 
the  same  for  both.  To  prescribe  the  complete 
range  of  possible  reliability  variation  for  the 


^Hereinafter  called  USL. 


test  data  available,  95$  confidence  limits  were 
determined.  This  is  not  be  be  confused  with  a 

confidence  in  the  reliability  of  the  vehicle, 
which  could  be  established  from  actual  flight 
successes. 

Environment -Time  Program 

For  each  flight,  the  Ablestar  stage  may 
be  described  as  experiencing  five  distinct  en- 
vironments from  first  stage  ”ride”  to  post  burn- 
out. These  five  environments  are  (l)  the  ” ride” 
on  the  Thor,  (2)  the  time  of  first  firing  of  the 
n104”  propulsion  system,  (3)  the  coast  time,  when 
the  failure  rate  is  assumed  to  be  the  same  as  for 
manned  aircraft,  (4)  the  period  of  re-start  (sec- 
ond firing),  and  (5)  the  period  beyond  shutdown 
for  the  Spin  Table  actuation  and  the  payload  sat- 
ellite separation.  These  times  are  shown  in 
Table  3*  The  time  between  first  stage  burnout 
and  second  stage  firing  is  not  considered  separ- 
ately because  it  is  too  short  in  length  to  affect 
the  overall  calculations . 

Analysis  of  the  AJ10-104  Propulsion  System 

The  AJ10-104  propulsion  system  reliabili- 
ty, when  used  in  the  Ablestar  stage,  was  estima- 
ted on  the  basis  of  the  best  time-related  failure 
data  on  this  equipment  available.  The  values  are 
based  on  the  accumulation  of  all  recorded  test 
data  (time  and  replaced  parts)  from  the  Able  pro- 
gram. As  tests  are  continued  on  Ablestar  vehicle^ 
the  reliability  and  confidence  reflected  in  this 
report  were  expected  to  become  more  valid  or  per- 
haps require  readjustment.  Since  no  prior  meth- 
odology was  available  to  predict  rocket  reliabil- 
ity in  advance  of  actual  hardware  and  tests  on 
that  hardware,  much  speculation  was  entertained 
on  the  accuracy  of  these  predictions. 

Estimation  of  Failure  Rates 

At  the  time  of  the  analysis  there  were 
thirteen  successful  flights  involving  Able-type 
units  prior  to  Ablestar  or  Delta.  There  also 
were  four  other  Able  units  which,  unfortunately, 
never  had  opportunity  to  perform  due  to  malfunc- 
tions occurring  in  the  first  stage  vehicles.  The 
total  flight  time  of  these  units  was  1332  seconds, 
for  an  average  of  a little  over  100  seconds  oper- 
ation per  propulsion  system.  It  was  evident  that 
a valid  estimate  could  not  be  made  with  this  data 
since  the  time  on  each  unit  was  only  a little 
more  than  l/3  the  expected  AJ10-104  firing  time 
and  the  total  firing  time  was  only  four  and  one 
half  times  that  of  a single  AJ10-104  propulsion 
system*  s operating  time.  1;  ::  \ 

To  obtain  more  operating  time^  data  was 
obtained  from  the  PFRT,  Acceptance,  and  checkout 
tests  of  these  prior  vehicles  flown.  The  ”hot” 
firings  for  all  vehicles  added  up  to  3999  seconds. 
Based  on  ten  checkout  tests  of  AJ10-40  and 
AJ10-42  propulsion  systems,  the  average  checkout 
time  of  a single  vehicle  was  found  to  be  64.4 
hours.  Therefore,  it  was  concluded  that  the  hot 


200 


firing  test  time  was  not  sufficiently  significant 
as  added  test  time  in  this  analysis  i For  seven- 
teen vehicles  the  total  checkout  time  was  calcu- 
lated as  IT  x 64.4  = 1095  hours. 

In  determining  the  USL  reliability  this 
1095  hours  was  used  as  the  basis  for  determining 
the  failure  rates  of  propulsion  system  elements. 

During  the  checkout  and  firing  tests  per- 
formed prior  to  the  analyses  there  were  38  AJ10- 
104  applicable  failures  of  one  kind  or  another 
which  could  have  happened  in  flight  and  would  af- 
fect operation  of  the  vehicle  as  specified.  In 
addition  to  these  there  were  other  malfunctions 
which  would  not  affect  vehicle  operations  as  spec- 
ified and  were  therefore  not  included  in  this 
evaluation. 

These  38  applicable  failures  were  the 
basis  of  Table  8 which  lists  those  failed  items, 
and  the  number  of  these  items  on  the  propulsion 
systems , AJ10-40,  42,  101,  and  104.  The  failure 
rate  obtained  is  also  listed  in  this  table. 

Environmental  Conditions 

The  AJ10-104  reliability,  however,  is  the 
product  of  several  separate  reliabilities  because 
it  has  the  restart  capability  and  thus  undergoes 
several  environmental  changes. 

At  lift-off  the  most  severe  vibration 
takes  place  as  the  first  stage  engine  ignites. 
Combined  vibration  and  acceleration  environment 
continue  for  about  165  seconds  before  shutting 
off.  During  this  time  relatively  few  of  the  sec- 
ond stage  parts  are  subjected  to  operating  pres- 
sures. Those  items  which  are  subjected  to  pres- 
sures include  the  helium  tanks,  regulator  valve, 
tubing,  check  valves,  tank  shut-off  pilot  valve, 
nitrogen  tanks,  regulator,  lines,  check  valves, 
and  hydraulic  system.  During  this  time  no  por- 
tion of  the  second  stage  propulsion  system,  in- 
cluding the  attitude  control  sub -system,  will  be 
operating. 

The  first  stage  shutoff  is  followed  by 
approximately  two  seconds  of  coast  time  before 
the  second  stage  ignites. 

The  next  operating  phase  takes  place  when 
the  AJ10-104  ignites  with  combined  acceleration, 
vibration,  and  high  pressures  and  temperatures. 
This  continues  with  all  items  being  stressed  until 
about  275  seconds  have  elapsed  when  the  propulsion 
system  shuts  down  for  20-30  minutes  of  coast  de- 
pending on  the  mission.  During  this  coast  period 
the  hydraulic  pump  shuts  down;  the  coast  attitude 
control  (nitrogen  System)  functions  while  the  pro- 
pellant tank  and  almost  all  lines  remain  under 
pressure.  The  coast  period  is  followed  by  a 15- 
20  second  AJ10-104  firing  in  which  all  portions 
of  the  system  are  required  to  operate  again.  This 
is  followed  by  the  final  low  stress  coast  period 
when  the  spin-table  spins  up  and  ejects  the  pay- 
load.  This  coast  period  is  about  IT  seconds.  At 
this  point  the  Ablestar  Stage  has  completed  its 
mission. 


Determination  of  Reliability 

Reliability  calculations  were  made  for 
both  the  perfect  and  acceptable  flight  situations; 
as  defined  earlier • 

Perfect  Flight.  The  reliability  of  the 
AJ10-104  propulsion  system,  including  the  Gimbal- 
ing  system,  is  computed  as 

R = exp  - [t2  + tg  f2  + -f  + fj 

where  tp  refers  to  time  under  a particular  stress 
and  fp  the  failure  rate  during  that  time,  the  sub- 
scripts 1-5  have  the  same  meaning  as  in  the  fore- 
going where  rrl"  refers  to  the  11  ride”  on  the  Thor, 
"2*'  to  the  first  burning,  11 3*1  to  the  coast  period, 
*' 4"  to  re-start  firing  and  n5,!  to  the  period  be- 
yond shutdown  during  the  spin  table  actuation. 

The  following  discussion  shows  the  method 
of  determining  the  reliability  of  the  propulsion 
system  for  the  Transit  2-B.  The  total  failure 
rates  of  the  subassemblies  of  the  AJ10-104  propul- 
sion system  are  shown  in  Table  4 and  the  failure 
rates  of  the  individual  elements  are  shown  in 
Table  6.  The  total  failure  rate  for  all  items  is 
55.76  failures  per  1000  hours  for  the  unity  stress 
level. 


During  the  "ride11  on  the  Thor,  the  thrust 
chamber  assembly  and  the  TPS  switch  are  not  under 
stress  so  fp  = 55*76  - 6.56  (Ground  Test  Failure 
Rate  of  TCA)  -0.92  (Failure  Rate  of  TPS  Switch)  = 
48.28  failures  per  1000  hours  for  the  unity  stress 
level.  During  the  first  burning  of  the  AJ10-I04, 
the  failure  rate  to,  is  55.76. 

During  the  coast  period  the  TCA>  TPS  switch, 
and  Gimbaling  components  are  not  operationally 
stressed  so  f^  = 55*76  - 6.56  (Ground  Test  Failure 
Rate  of  TCA)  - 0.92  (Failure  Rate  of  TPS  switch) 

- 4.58  (Failure  Rate  of  Gimbaling  components  in- 
cluding hydraulic  accumulator)  - 43*70  failures 
per  1000  hours  for  the  unity  stress  level.  During 
the  restart  firing  the  settling  valve  does  not 
need  to  operate  further  so  flj.  ~ 55*76  - 1.82  = 

53*94  failures  per  1000  hours  for  the  USL  level. 
During  the  17  seconds  coast  period  beyond  shut- 
down, only  the  fuel  tank  pressure  system  needs  to 
operate  and  this  has  a failure  rate  of  2*24  fail- 
ures per  1000  hours  for  bhe  USL. 

Hence  for  the  USL 


R = 


exp 


165  (48.28)  i 282  (55-76)  1260X^5^10) 

" 5600  (1000)'  3600  (1000)  3600  (1000)  ' 


. 12  (53.94)  17  (2.24) 

3600  (1000)  3600  (1000) 

= e-*0221  = .978 


Acceptable  Flight.  The  following  reli- 
ability estimate  is  based  on  the  assumption  that 
items  such  as  propellant  gas  fill  quick  disconnects 


201 


and  oxdizer  ’vent  valves  are  items  ’which  do  not 
function  or  operate  after  initial  loading.  Any 
leak  in  these  items  will  he  detected  while  the 
vehicle  is  still  on  the  ground*  It  is  also  noted 
that  the  pressure  transducers  are  not  essential 
for  acceptable  operation. 


The  items  which  are  not  required  to  func- 
tion or  are  not  under  pressure  through  the  coast 
period  are: 

USL 

F.R./lOOO  Hours 


Table  4 shows  that  the  total  failure  rate 
for  all  items  is  55  -76  failures  per  1000  hours  for 
the  unity  stress*  The  failure  rates  of  parts  which 
do  not  need  to  function  for  an  acceptable  flight 
must  be  subtracted  from  these  figures* 

The  following  tabulates  the  failure  rates 
of  these  items  not  under  consideration  for  an 
acceptable  flight: 

USL 

P*R*/lQQ0  Hours 


2 oxidizer  Probes 

1.84 

9 Transducers 

6.74 

9 Quick  Disconnects 

1.64 

1 Oxidizer  Vent  Valve 

1.82 

TOTAL 

12.04 

So  the  Failure  Rate  of  all  items  under  considera- 
tion is  55 .76  - 12,0k  = 43*72  failures  per  1000 
hours  for  the  unity  stress  level. 


Items  not  required  to  function  or  not 
stressed  during  first  stage  operation  are: 


USL 

F.R./lOOO  Hours 

Thrust  Chamber 

(1) 

6.56 

Thrust  Chamber  Prop  Valves 

(2) 

5.48 

TC  Prop  Valves  Pilot  Valves 

(2) 

2.74 

Flex  Lines  (propellant ) 

(3) 

2.74 

Pressure  Switches 

(2) 

1.82 

Fuel  Vent  Valve 

.90 

Mi s ce  llaneous  ( line s , gasket s , 
"0"  rings,  sleeves,  etc. 

1.74 

Total  failure  rate  of  items  not 
required  to  operate  during  1st 
stage  operation 

21.98 

His  total  failure  rate  estimate  of  all 
essential  and  functional  items  in  the  AJ10-1Q4 
propulsion  system  is  43- 72  failures/1000  hours  for 
the  unity  stress  level.  Therefore , the  failure 
rate,  11*  during  the  first  stage  ascent  is  45-72  - 
21.98  or  21.74  failures/1000  hours  for  the  USL 
level . 

During  the  first  burning  of  the  AJ1Q-104, 
the  failure  rate,  f^,  is  43-72  failures  per  1000 
hours  for  the  USL* 


Thrust  Chamber 

6.56 

TPS  Switch 

.92 

Gimbaling  equipment /shutoff 

during  coast  time 

3.66 

Helium  Regulator 

1.82 

Hydraulic  Accumulator 

^22 

Total  Failure  Rate  of  Items 

not  under  Stress  13-88 


Using  the  above  listing  it  is  seen  that 
the  failure  rate,  fj,  during  coast  period  for  the 
USL  is  43.72  - 13,88  = 29.84  failures/1000  hours. 
During  the  restart  firing  the  settling  valve 
doesnTt  need  to  operate  further  so  = 43-72  - 
1,82  = 41*90  failures/1000  hours  for  the  unity 
stress  level*  As  in  the  case  of  perfect  flight, 
fep  the  failure  rate  during  the  final  17  second 
coast  period,  is  2.24  f allures /l000  hours  for  the 
USL* 


Hence  for  an  acceptable  Transit  2-B 
flight,  the  USL  Is 


282  (43*72 
3600  (1000 

1260  (29-84)  12  (41-90) 

3600  (1000)  3600  (1000) 


R = exp  - 


165  (21.74) 
3600  (1000) 


+ 


’ 

17  (a .24) 
3600  (1000) 


Calculations  for  Courier  1-B*  The  calcu- 
lation  for  the  Courier  mission  was  made  in  a simi- 
lar manner  as  for  the  Transit  2~B  flight*  For  the 
Courier  1-B  system  the  Failure  Rates  for  all  en- 
vironments are  the  same  as  for  the  Transit  2-B* 

The  only  difference  in  reliability  of  the  propul- 
sion system  is  due  to  the  longer  coast  time.  The 
USL-of  a "perfect"  Courier  1-B  AJ10-104  propulsion 
system  is 


R = exp  - 
+ 


165  (48.28)  282  (35.7 6) 

3600  (1000)  3600  (1000) 

_ 

2100  (43.70)  12  (33-94) 

3600  (1000)  3600  (1000) 


+ H (2;gl0  , 
3600  (1000) 


= .968 


202 


the  USL  level  of  an  "acceptable"  Courier  1-B  AJ10- 
104  propulsion  system  is, 


R 


= exp  - 


+ 


+ 


165  (21.7*0  . 282  (4; .72) 
5600  (1000)  3600  (1000) 

2100  (29-84)  12  (U.90) 

3600  (1000)  3600  (1000) 


IT  (2.24)  ' 

3600  (1000) 


-.0220 

e 


- .978 


A similar  calculation  was  perfonned  to  obtain  the 
Transit  3 -A  reliability  prediction. 


Analysis  of  the  Ablestar  Stage  Forward  Section 

The  reliability  of  the  Forward  Section  of 
the  Ablestar  Stage  was  estimated  from  relatively 
recent  failure  rates  of  electronic  components 
found  in  10 , 000  system  hours  of  flight  operation 
of  Fire  Control  System  equipment.  The  total  fail- 
ure rate  as  shown  in  Tables  5 and  7 is  12.62  fail- 
ures per  1000  hours  for  the  USL  level  for  "perfect" 
flight  of  the  Transit  2-B  (i*e.,  when  all  compo- 
nents are  operating  in  accordance  with  specifica- 
tions); this  Is  the  failure  rate  during  the  whole 
flight  except  for  the  IT  seconds  of  spin  table  ac- 
tuation after  restart  burnout.  On  the  Courier  1-B 
the  Assembly  Integrating  Accelerometer  needn't 
function  after  the  first  burnout  so  the  failure 
rate  becomes  12.62  - 1.00  = 11.54  failures  per 
1000  hours  for  the  USL  during  the  coast  and  re- 
start periods.  The  failure  rate  of  the  components 
in  the  Forward  Section  directly  connected  to  and 
including  the  spin  table  is  .38  failures  per  1000 
hours  for  the  USL.  These  reliability  calculations 
do  not  include  the  STL  guidance  package  which  was 
Government- fur nislied  and  thus  treated  as  external 
to  the  Ablestar  Stage  as  supplied  by  Aerojet- 
General  Corporation.  In  the  case  of  "acceptable" 
flight  where  only  operation  of  essential  parts  is 
considered,  the  failure  rate  for  the  telemetry 
system  may  be  neglected  and  the  overall  failure 
rate  for  the  Transit  2-B  becomes  12.62  - 3-08  = 

9.54  failures  per  1000  hours  for  the  USL*  For 
"acceptable"  Courier  1-B  the  failure  rate  is 

11.54  - 3*08  = 8.46  failures  per  1000  hours  for 
the  USL  during  the  coast  and  restart  periods. 


The  following  calculations  show  the  USL 
reliability  estimates  of  the  Forward  Section 
Assembly. 


For  a "perfect"  flight  the  forward  section 
estimated  USL  reliability  for  the  Transit  2-B  is, 


R = exp 


[163  (12.62)  282  (12.62) 

1 3600  (1000)  3600  (1000) 


1260 

3S00" 


12,62) 

1000) 


12  (12.62) 
3600  (1000) 


4.  u (0.38) 

3600  (1000) 


]■ 


~.oo6 


.99k 


For  an  "acceptable"  Flight  the  forward  section 
estimated  USL  reliability  for  the  Transit  2-B  is. 


R = exp 


163  (9,34)  282  (9.54) 

3600  (1000J  3600  (1000) 

1260  (9.3M  + Jg  (9.34) 
3600  (1000)  3600  (1000) 


IT  (O-gg) 
3600  (1000) 


= e-°°5  = .995 


For  a "perfect11  flight  the  forward  section 
estimated  USL  reliability  for  the  Courier  1-B  is. 


R = exp  - 


165  (12.62)  282  (12*62) 

360G  (1000)  3600(1000) 


2100 

3800 


(1000)  3600  (1000 ) 


17  (0.38) 
3600  (1000) 


-.008 


■ 992 


For  an  "acceptable”  flight  the  forward 
section  estimated  USL  for  the  Courier  1-B  is, 


R = exp  - 


165  (9.3*0  . 282  (9-54) 

3600  (1000)  3600  (1000) 


(8.46) 

(1000) 


2100 
+ 3600 


. 17  (0.38) 

3600  (1000) 


12  (8.46) 

+ 3600  (1000) 


= e“*°°6  = .994 


Reliability  Monitoring 


In  order  to  assure  that  the  reliability 
predicted  in  this  report  was  obtained,  it  was  nec- 
essary to  monitor  the  components  as  they  were  test- 
ed. The  maximum  number  as  well  as  the  average  num- 
ber of  failures  for  each  component  are  given  in 
Tables  9 and  10.  For  example,  from  reading  Table 
9 we  infer  that  if  all  the  black  boxes  containing 
capacitors  were  tested  for  1000  hours  each  we  would 
not  expect  any  failures.  Even  if  there  were  as 
many  as  three  failures  of  capacitors,  this  may  still 
be  acceptable  as  random  expectancy;  however,  four 
failures  would  indicate  the  failure  rate  was  exces- 
sive. In  the  event  four  or  more  failures  were  ex- 
perienced, an  investigation  as  to  the  nature  of  the 
failures  would  be  made.  Similarly,  the  maximum 
number  of  coils,  connectors,  diodes,  and  other  elec- 
tronic parts  which  may  fail  in  ground  test  due  to 
chance  causes  can  be  read  from  Table  9.  If,  for 
instance,  the  total  test  time  per  black  box  were 
100  hours,  we  could  not  allow  any  failures  except 
for  one  each  in  diodes  and  resistors  without  ini- 
tiation of  suitable  corrective  action.  Table  10 
lists  the  propulsion  system  items  and  their  maxi- 
mum failure  rates,  and  is  interpreted  in  the  same 
manner  as  Table  9* 


203 


Initial  Results  of  Monitoring 


From  the  first  two  vehicles  produced,  data 
was  derived  from  ground  tests  performed  on  these 
vehicles  that  reflected  amazingly  close  correla- 
tion of  failure  rates  (and  hence  reliabilities)  with 
the  anticipated  figures  for  the  propulsion  subsys- 
tem. The  results  of  electronics  tests  indicated 
several  units  were  not  within  expected  failure 
rate  limitations  as  previously  described.  A tabu- 
lation of  these  initial  findings  is  shown  in  Table 
11  with  reliability  interpretation  shown  in  Table 
12.  Changes  were  initiated  in  the  electronics 
portions  of  the  stage  early  in  the  program  to  re- 
move obvious  items  of  equivocal  performance.  As 
these  changes  were  incorporated  the  reliability  of 
ele ctroni c s showed  di st inct  improvement . Example  s 
of  a monitoring  chart  and  of  monitoring  graphs  are 
shown  in  Table  13  and  Figure  2 respectively.  A new 
analysis  of  the  entire  Able star  Stage  in  its  cur- 
rent configuration  is  now  in  process  using  actual 
Able star  failure  data  and  flight  stress  factors 
including  environment.  In  7 flights  in  which  the 
Ablestar  Stage  has  been  called  upon  to  perform  to 
data  6 have  been  acceptable,  that  is  86  percent. 


204 


100 


80 


60 


>» 

-p 

•H 

i — 1 

•H 


20 


0 


Combined  Hangar 

Only 


Figure  1 

Reliability  of  Ablestar  Stages 


205 


(SJTlOtf  UT)  jq.m 


Notes  The  Electrical  Power  Subsystem  is  not  shown  on  this  graph.  With  only 

one  failure,  oc curing  in  January,  we  have  a subsystem  MTBF  of  2.04*1  hours 
for  January  1?62, 


206 


TABLE  A 


ABLESTAR  STAGE  PREDICTED  RELIABILITY  FIGURES 
PREDICTED  RELIABILITY  - ABLESTAR  STAGE  FOR  A TRANSIT  g-B  MISSION 


Ablestar  Stage 
Reliability  $ 

Propulsion  System 
Reliability  $ 

Forward  Section 
Reliability  $ 

Perfect  Flight 

97- 2 

97-8 

99.  k 

95$ 

Lower  Confid.  Level** 

96.5 

9 6.8 

99.b 

95$ 

Upper  Confid.  Level** 

97.9 

98.5 

99  A 

PREDICTED 

RELIABILITY  - ABLESTAR  STAGE 

FOR  A COURIER  1-B  MISSION 

Ablestar  Stage  Propulsion  System  Forward  Section 

Reliability  $ Reliability  $ Reliability  $ 


Perfect  Flight 

96.0 

96.8 

99-2 

95$  Lower  Confid.  Level 

95.0 

95-4 

99.1 

95$  Upper  Confid.  Level 

97.0 

97-6 

99-2 

PREDICTED  RELIABILITY 

- ABLESTAR 

STAGE  FOR  A TRANSIT  3 -A  MISSION 

Ablestar  Stage  Propulsion  System  Forward  Section 

He liability  $ Reliability  $ Reliability  $ 


Perfect  Flight 

96.1 

97-2 

98.85 

95$  Lower  Confid,  Level 

95- A 

95.92 

98.78 

95$  Upper  Confid,  Level 

96.7 

97.87 

98.94 

Acceptable  Flight 

96.98 

97-9 

99-06 

95$  Lower  Confid*  Level 

96.53 

96.95 

98-99 

95$  Upper  Confid*  Level 

97-35 

98.  Ui 

99.13 

**  The  upper  and  lower  95$  confidence  level  pertains  to  the  reliability  value  found  when  the  ground 
test  and  coast  environment  is  assumed  to  be  of  the  same  severity  as  the  powered  flight  environment , and 
the  number  of  failures  reflected  during  the  source  data  test  periods  are  considered. 


207 


TABLE  B 


ABLESTAR  STAGE  RELIABILITY  FIGURES  PROM  GROUND  TESTS 
OF  S/N  005  AND  006 , AZUSA  AND  CAPE:  CANAVERAL 


CURRENT  RELIABILITY  - ABLESTAR  STAGE  s/N-005  (COURIER  1-B  MISSION) 


Able star  Stage 
Reliability  $ 

Current 

F/Hr. 

Propulsion 

Syst.Rel.$ 

Current 

F/Hr. 

Fwd.  Sec. 
Rel.-$ 

Perfect  Flight 

85.15 

.0635 

* 1 

95.97 

.16581 

88.73 

9 5$  Lover  Confid.  Level 

80.42 

* 2 

83.60 

9 5$  Upper  Confide  Level 

88.74 

* 2 

91.58 

CURRENT  RELIABILITY  - ABLESTAR  STAGE 

! S/N-006 

(TRANSIT  3-A  MISSION) 

Able star  Stage 

Current 

Propulsion 

Current 

Fwd.  Sec. 

Reliability  $ 

F/Hr. 

Syst»Rel.$ 

F/Hr. 

Rel,-$ 

Perfect  Flight 

86.06 

.0635 

96.45*1 

.16581 

89.23 

95$  Lower  Confid.  Level 

81.40 

*2 

84.45 

95$  Upper  Confid*  Level 

89.55 

*2 

92.03 

Acceptable  Flight 

90.38 

96.45*  1 

93.70 

95$  Lower  Confid.  Level 

84.65 

* 2 

89.08 

95$  Upper  Confid.  Level 

92.86 

* 2 

95.60 

* 1 - Includes  Attitude  Control  System  as  per  Report  No.  L 0358-01-10,  Section  III 

* 2 - Insufficient  Number  of  Failures  to  Establish  Confidence  Limits 


208 


TABLE  1 


FAILURE  RATE  OF  FORWARD  SECTION  (ELECTRONIC)  PARTS 
BASED  ON  PRIMARY  FAILURES 


Ho,  of  Failures 
per  10  Hours 


Part  Type 

Component 
Test -Hours 

Failures 

in 

Manned  Aircraft* 

Capacitors 

c 

27*53  X 10 

31 

.00113 

Coils , Chokes , Reactors , 
Mag.  Amps,  Filters 

5.56  x 106 

66 

.01890 

Crystals  Semi-Cond.  Diodes 

57.50  x 106 

84 

.00146 

Motors,  Resolvers,  Gyros,  Synchros 

.1)2  x 106 

33 

.07857 

Relays 

4.31  x 106 

158 

.03673 

Resistors 

83.71  x 10^ 

228 

.00273 

Switches 

2.11  x 106 

27 

.OI280 

Transistors 

1.29  x 10^ 

35 

.02713 

Transformers 

3.16  x 106 

48 

.01522 

Total  Failures  710 


* Derived  from  FCS  equipment  during  IcA  system  hours  flight  operation 


209 


TABLE  2 


FAILURE  RATE  OF  PROPULSION  SYSTEM  (MECHANICAL) 
BASED  ON  FAILURES  IN  VARIOUS  GROUND  TESTS 


Part  Type 

UBL 

Test  Time 
Hours 

Ref(l)Level 
Equiv - Test 
Time  Hours 

Failures 

No*  of 
Failures 

10^  Hours 

Ac  cumul  at  or  , Hyd . 

1095 

21*9 

1 

.914 

Giinbal  Equipment 

1095 

21.9 

4 

3.66 

Harness } Connector 

24090 

481,8 

4 

.166 

Line,  Flex  (propellant) 

3218 

65*6 

5 

.914 

Line,  High  Pressure 

251550 

5031 

4 

.016 

Oxidizer  Probe 

2190 

43.8 

2 

.914 

Pressure  Switch 

2190 

43,8 

2 

• 914 

Quick  Disconnect 

(l)* 

Valve,  Attitude  Control' 

5475 

109-3 

1 

.183 

• 914 

Check 
Fuel  Vent 
Helium  Vent ^ 
Oxidizer  Vent^ 

5475 

109.5 

1 

.183 

1095 

21.9 

1 

• 914 

1095 

-21,9 

1 

<914 

1095 

21,9 

2 

1.828 

Hydraulic  Pressure 

Relief 

1095 

21.9 

1 

.914 

Pilot 

2190 

43.8 

5 

1.372 

Regulator 

1095 

21-9 

2 

1.828 

FTCV 

1095 

21,9 

5 

4.572 

CTCV 

1095 

21*9 

1 

• 914 

Total  Failures 

38 

^ Valves  with  superscript  (l) 

are  all  similar  and  are 

assumed  to  have  the 

same  failure 

rate . 

* The  time  of  testing  attitude  control  was  too  small  to  consider. 


210 


TABLE  3 

DURATION  OF  EACH  ENVIRONMENT  UNDERGONE  BY  ABLESTAR 


Environment 

Transit  2-B 

Time  (Seconds) 

Courier  i-B 

Booster  Duration 

165 

165 

First  Firing  Duration 

282 

282 

Coasting  Duration 

1260 

2100 

Second  Firing  Duration 

12 

12 

Post  Second  Firing 

17 

_i 1 

Total 

1736 

2576 

211 


TABLE  4 


FAILURE  RATE  OF  AJ10-104  PROPULSION  SYSTEM 


Part 

USL  Expected 
Failures / 1000 
Hours 

USL 

MTBF 

Hydraulic  System  Installation, 
Gimbal  Actuation 

3-159 

316.5 

Line  Valve  Assemblies 

6.208 

161.1 

AJ10-104  Main  Assembly,  Tanks 

• 397 

2519 

Transducer  Installation 

6-734 

148.5 

Thrust  Chamber  & Support  Assy. 

1.838 

54.5 

Harness  Installation 

.144 

6945 

Attitude  Installation  Control  and 
Restart  System 

3.972 

252 

Attitude  Control  & Restart  System 
Panel  Assembly 

7-757 

129 

Oxidizer  Valve  Hydraulic  Assembly 

1.205 

830 

Pneumatic  System  Installation  Assembly 

8.583 

116.5 

Thrust  Chamber  Assembly 

12.469 

80.0 

Fill  & Drain  System  Installation 

3.223 

310.5 

Oxidizer  Tank  Pressurization 
Installation 

.039 

25640 

Safety  and  Arming  Destructor 

.015 

65800 

Tank  Assembly 

.024 

41665 

Overall  Failure  Rate 

55.76 

17.93 

212 


TABLE  5 


FAILURE  RATE  OF  ABLESTAR  FORWARD  SECTION  ASSEMBLY 


Part 

Spin  Table 

Gyro  Reference  Assembly 

Battery  & Control  Box  Assy. 

Telemetry  Battery  Assembly 

Battery  Assembly 

DC -DC  Converter  Assembly 

Telemeter  Signal  Conditioner 

Telemeter  RF  Assembly 

Assembly  Integrating 
Accelerometer 

Electronic  Assembly,  FLT  Control 

Final  Assembly  Programmer  and 
Sequence  Control 

Telemetry  Antenna  Assembly 

Distribution  Box 

Fairing  Separation 

Overall  Failure  Rate 


Burnout  Test 
Failures /XOOO 
Hours 

USL  MTBF 

• 379 

2,638 

• 520 

1,922 

.114 

8,740 

.036* 

27,780 

.002 

500, 000 

.145* 

6,880 

2.011* 

497 

.890* 

1,123 

1.066 

936 

4.380 

228 

2.623 

381 

.005* 

185,200 

.427 

2,340 

.028 

3,372 

12.62 

79.24 

3.08* 

324.68 

104.82** 

* These  items  not  essential  for  "acceptable”  flight. 

**  Overall  failure  rate  for  essential  items  of  "acceptable"  flight. 


213 


TABLE  6 

FUNCTIONAL  PARTS  IN  THE  AJ10-104  PROPULSION  SYSTEM 


Component  Part 

No,  in 
System 

Expected  Croun< 
Test  Failures/ 
1000  Hours 

Accumulators 

1 

.144 

Actuator  Cylinder 

2 

.102 

Capacitor 

12 

.004 

Coll 

1 

.019 

Connector;  Electrical 

33 

.001 

Connect or j Mechanical 

1 

.002 

Diode 

7 

.010 

Fairing  Assembly 

5 

.010 

Fit t logs j Flanges j Elbows 

112 

.002-. 006 

Filters , mechanical 

5 

.002 

Filters ; Electrical 

2 

.005 

Flex  Lines } Propellant 

3 

• 914 

Manifold 

3 

.058 

"0"  Rings  and  Gasket 

1^3 

.001 

Potent i omet e r s 

2 

.027 

Probe } Oxidise r 

2 

.005 

Pump,  Hydraulic 

1 

.270 

Resistors 

8 

.022 

Glee res 

183 

-d- 

O 

O 

Switch^  Pressure 

2 

.914 

Tank  Assembly;  Propellant 

1 

.020 

Tank  Assembly,  Helium 

3 

.002 

Tank  Assembly;  Nitrogen 

6 

.001 

Thrust  Chamber  Assembly 

1 

6.56 

Tranducers 

9 

O 

-0 

O 

Transformers 

1 

.001 

Transistors 

2 

.054 

Tubes 

121 

.016 

Valves 

Jg_ 

1-85-4.572 

Total  Functional  Parts 

717 

Total  Failure  Rate 

55-76  failures 
/1000  hrs. 

214 


TABLE  7 


FUNCTIONAL  PARTS  IN  THE  FORWARD  ASSEMBLY 
(Failure  rates  are  based  on  manned  aircraft  environment) 


No.  in 

Expected  test 
Failures/1000 

Component  Part 

System 

Hours 

Accelerometer 

i 

•079 

Actuator,  Explosive 

4 

.007 

Actuator,  Rollerlerf 

1 

.006 

Amplifier,  Bendix 

1 

.170 

Amplifiers,  Bulova  and  Composite 

2 

.178 

Battery 

55 

.002 

Bolt,  Explosive 

5 

.002 

Capacitor 

89 

.001 

Chopper 

1 

.050 

Coaxial  Connector 

1 

.017 

Coll  Inductor 

25 

.019 

Connector,  Receptacle 

50 

.005 

DC -DC  Converter 

1 

.016 

Diode 

300 

.001 

Gyro  Assembly 

5 

.008 

Hardware  Items 

4 

— 

Heater  Blanket 

5 

.004 

Insulator 

15 

— 

"0”  Ring 

4 

.003 

Pin 

1 

.005 

Potentiometer 

9 

.027 

Preamplifier 

2 

.140 

215 


TABLE  7 (Cont) 


FUNCTIONAL  PARTS  IN  THE  FORWARD  ASSEMBLY 
(Failure  rates  are  based  on  manned  aircraft  environment) 


Component  Part 

No . in 
System 

Expected  test 
Failure s/lOOO 
Hours 

Relay 

29 

.037 

Resistor 

634 

0 

0 

Shaft 

1 

.031 

Spin  Table 

1 

.006 

Spring 

18 

.009 

Switch 

11 

0 

H 

Tachometer  Motor 

1 

.078 

Terminal 

294 

.001 

Transducer 

1 

.150 

Trans former 

20 

.015 

Transmitter,  Bendix 

1 

.534 

Transistor,  Sensistor 

16  4 

.027 

Valve,  Explosive 

4 

.013 

Valve,  Circle  Seal 

2 

.130 

VCO 

10 

.054 

Total  Functional  Components 

171*6 

TABLE  8 


FAILURE  RATE  DETERMINATION-  FOR  CRITICAL  ITEMS 
BASED  ON  1090  HOURS  ACTUAL  TEST  TIME 


AJ10-40,  k-2,  101  Propulsion  Systems  AJ10-104  Propulsion  System 


Item 

Critical 

Failures 

Recorded 

During 

Tests 

Comp*  in 
Propulsion 
System 

USL 

Failure/ 
1000  Hr* 

Comparable 
Items  in 
System 

Expected 

USL 

Failure/ 
1000  Hr. 

Check  Valve 

1 

5 

.182 

9 

1.64 

Gas  Beg.  Valve 

2 

1 

1.828 

2 

3*66 

FTCV 

5 

1 

4.572 

1 

4.57 

Glmbal  Equipment 

4 

1 

3.660 

1 

3.66 

OTCV 

■1 

1 

.914 

1 

• 91 

Propellant  Flex  Lines 

3 

.914 

3 

2.74 

Oxidizer  Vent  Valve 

2 

1 

1.828 

1 

1.83 

Fuel  Vent  Valve 

1 

1 

.914 

1 

• 91 

High  Pressure  Liner  (Tubes) 

4 

229 

.016 

298 

4.66 

Harness  Connector 

4 

22 

.163 

33 

5*37 

Pilot  Valves 

3 

2 

1.376 

3 

4.12 

Helium  Vent  Valves 

1 

1 

.914 

0 

- - 

Hydraulic  Pressure  Relief  Valve  1 

1 

.914 

1 

.91 

Hydraulic  Ac  cum* 

1 

1 

.914 

1 

.91 

Oxidizer  Probe 

2 

2 

.914 

2 

1.83 

Pressure  Switch 

2 

2 

.914 

2 

1.83 

Attitude  Control  Valve 

0 

2 

.914 

9 

8.23 

Quick  Disconnects 

1 

5 

.183 

11 

3.21 

Helium  Shutoff  Valve 

0 

0 

.914 

l 

• 91 

OTSV  and  FTSV 

0 

0 

1.372 

2 

2.74 

58 

281 

382 

95*00 

217 


TABLE  9 


EXPECTED  FAILURE  RATES  OF  ELECTRONIC  COMPONENTS 
DJ  THE  ABLESTAR  STAGE  UNDER  NON-FIRING  TEST  CONDITIONS 


Number 

Median  p/R 

Max* 

f/r 

Total 

Median 

Total  I 

Comp  one  nt  Part 

Used 

Per  Hour 

Per  Hour 

P/R  Per  Hour 

F/R  Pf 

Accelerometer 

1 

7.86  X 10-5 

18  X 

1G~5 

7.86 

x lO"5 

18  j 

Capacitor 

89 

0.115  J 

. 

4 

* 

10.1 

J 

L 

356 

Coil 

25 

1.89 

7-5 

47.2 

188 

Connector 

50 

■542 

5 

27.1 

250 

Diode 

300 

.146 

4 

43.8 

1200 

Gyros 

3 

7-86 

18 

23.6 

54 

Motor 

1 

7-86 

18 

7.86 

18 

Relay 

29 

5.67 

5-5 

106.4 

159.5 

Resistor 

634 

■ 275 

2.5 

173.1 

1585 

Switch 

11 

1.28 

4 

14.1 

44 

Terminal 

294 

.096 

1.5 

28.2 

441 

Transformer 

20 

I.52 

7 

30.4 

1.4o 

Transistor 

164 

2.71 

8 

444.4 

1312 

Amplifiers 

3 

17.78 

35-3 

53-3 

107 

Pre - Ampl i f i e r s 

2 

13.98 

27.9 

28.0 

56 

Transmitter 

1 

33-36  1 

f 

107 

\ 

53-4 

107 

VCO 

10 

3.38  x 10" 5 

10.7  X 

1CTJ 

53.8 

s 

f 

107 

Miscellaneous 

109 

no 

x 10~5 

220 

A 


x 10 


i-5 


218 


TABLE  10 


EXPECTED  FAILURE  RATE  OF  PROPULSION  SYSTEM  COMPONENTS 
UNDER  NON-FIRING  TEST  CONDITIONS 


Component 

No,  In 
System 

Failure 

Rate/Hr 

Max,  Failure  Total  Failure/  Total  Maximum 

Rate/Hr  Hour  Failure/Hour 

Accumulator 

1 

lk.2  x 10"5 

28.4  x 10 

"5  14.2  x 10' 

28.4  X 10 

J 

k 

i 

l 

L i 

1 

Actuator  Cylinder 

2 

10,2 

20.4 

20.4 

4o.a 

Capacitor 

12 

■113 

4.0 

I.56 

48.0 

Coil 

1 

1.  89 

7-5 

I.89 

1.5 

Conne  c t or  , Ele  c t r i c al 

30 

• 5te 

5.0 

16.26 

150.0 

Connector,  Mechanical 

1 

0-2 

0.4 

0.2 

0.4 

Diode 

7 

.146 

4.0 

1.02 

28.0 

Fairing  Assembly 

5 

1.0 

2.0 

5.0 

10.0 

Fittings,  Flanges 

112 

0.2-0. 6 

0. 4-1.2 

22.4-67-2 

44.8-134.4 

Filter,  Mechanical 

5 

0,2 

0.4 

1.0 

2.0 

Filter,  Electrical 

2 

a.o 

8.0 

4 

16.0 

Harness 

3 

9.14 

18.28 

27.4 

54.8 

Manifold 

3 

0.58 

1.16 

1.74 

3-48 

J,0M  Rings  Gaskets 

lk3 

0.1 

0.2 

14.3 

28.6 

Pot  ent i ome t e r 

2 

2.72 

5.44 

5.44 

10.9 

Probe  Qxidiser 

2 

0.52 

i.o4 

1.04 

2.08 

Pump,  Hydraulic 

1 

27.0 

54.0 

27.0 

54.0 

Resistors 

8 

.27 

2.5 

2.16 

20.0 

Sleeves 

1 83 

0.4 

0.8 

73.2 

146.0 

Switch,  Pressure 

2 

91.4 

182.8 

182.8 

366.0 

Tank  Assembly,  Propellant 

1 

2.0 

4.0 

2.0 

4.0 

Tank  Assembly,  Helium 

3 

0.16 

O.32 

0.48 

0.96 

Tank  Assembly,  Nitrogen 

6 

0.l4 

0.28 

0.84 

1.68 

Thrust  Chamber  Assembly 

1 

636, 0 

1312.0 

656.0 

1312.0 

Transducers 

9 

70.0 

i4o.o 

630.0 

1260.0 

Tran  s formers 

1 

1.52 

7.0 

1.52 

7-0 

Transistors 

2 

2.7 

f 

8.0  , 

r 

r l6*° 

Tubes,  (lines ) 

121 

1.64  x 10 '5 

3.28  x 10_5  198  x 10'5 

397  x 10 

219 


TABLE  11 


FORWARD  SECTION  (ELECTRICAL,  SPIN  TABLE  & NOSE  FAIRING) 


No. 

Time, 

Current 
Failure  Rate 

Failures 

Hrs . 

F/Hr. 

Range  Safety 

5 

73.25 

.06826 

Electrical  Power 

1 

292.07 

. 003423 

Programmer 

0 

200.83 

Telemetry 

19 

271.77 

.06991 

Airborne  Guidance 

0 

27.58 

Structural  (Spin  Table-Rose  Faxring) 

0 

78.6 

Autopilot  System, 

61  1 

1 — 330.28 

.02422 

Integrating  Accelerometer  2 — I 

AJ- 10-104  PROPULSION  SUBSYSTEM  + GIMBAL  ACTUATION 

.16581 

& HYD.  SUPPLY  SYSTEM,  AND  NITROGEN  GAS  JET 

CONTROL  SYSTEM 

Current 


No. 

Failures 

Time, 

Hrs. 

Failure  Rate 
F/Hr. 

Propulsion  Subsystem 

7 

144.52 

.04843 

Gimbal  Actuation  Syst..  & Hyd.  Supply 

if  — I 

— 330.28 

.0151 

Nitr.  Gas  Jet  Control  Syst. 

i_r 

TOTAL  F.R. 

•0635 

220 


TABLE  12 


SUMMARY,  ABLESTAR  STAGE  FAILURE  RATE  & RELIABILITY 
ABLESTAR  STAGE  S/N  005  & 006,  AZUSA  & CAPE  CANAVERAL 


Subsystem 

No. 

Failures 

Time 

Hrs. 

Current 

Failure 

Rate,F/Hr. 

Current  Subsystem 
Reliabilities 

s/N-005  S/n-006 

Range  Safety 

5 

73-25 

.06825 

.9524 

.9549 

Attitude  Control 

15 

350.28 

.03936 

.9791 

.9801 

Electrical  Power 

l 

292.07 

.00342 

.9976 

.9977 

Propulsion 

7 

144.52 

.0484-3 

.9662 

.9680 

Programmer 

0 

200.83 

0 

Telemetry 

19 

271.77 

.06991 

.9512 

.9536 

Airborne  Guidance 

0 

27.58 

0 

Structural 

0 

78.6 

0 

221 


Month  Ending  January  31.  1962 


* C Denotes  Critical 
M Denotes  Major 
m Denotes  minor 

TABLE  13 

SUBSYSTEM  FAILURE  DATA  SUMMARY 


Subsystem 

Current  Month 

Six  Month  Cumulative 

Predicted 

Failure 

Rate 

£ 

Failures 

Hours 

Failure 

Rate** 

±1 

Failures 

Hours 

Failure 

Rate** 

C 

M 

m 

Hrs . :Mir 

. 

G 

M 

m 

Hrs. :Min 

Telemetry 

2 

39*18 

.050891 

12 

1 

182:00 

.071U2  ! 

.QOlU 

Range  Safety 

1 

21sU8 

.01+5871 

1 

62:18 

,01605  ! 

.0021 

Programmer 

35  il  2 

.0000-*- 

1 

1 

16U:00 

.01219  ! 

.0012 

Electric  Power 

1 

Uosjo 

.02U69t 

1 

20l4.:U  2 

.00U88  A 

.0005 

Control 

2 

36«U2 

•o5UUs1 

2 

5 

19U:30 

.03598  ^ 

.0069 

Gimbal  Act 

13:30 

! .0000-^ 

l 

85:U8 

,01165^ 

.00U7 

^2  Vent 

8:30 

.0000-*- 

1 

95:18 

.010U9  J 

.0073 

Propulsion 

U:00 

.0000-*- 

5 

128:12 

.03900 1 

.03U1 

This  Subsystem  Summary  page  is  published  in  each  Monthly  Progress  Report  listing 
the  failure  rates,  failures  and  hours  for  each  subsystem  for  the  current  month 
and  also  a running  six  month’s  cumulative. 

Arrow-  Indicates  change  from  last  month's  report;  down,  up,  or  no  change. 


222 


APPENDIX 


CALCULATION  OF  CONFIDENCE  LIMITS  FOR  RELIABILITY  OF  ABLESTAR  STAGE 


In  general  the  95$  confidence  limits  of  a 
reliability  are  computed  as  follows: 


Compute  the  mean  time  between  failures , M, 
and  find  the  Reliability  R ^ e~Vm;  then  taking  N 
as  the  number  of  failures  used  in  computing  14, find 
lower  MTEF  as  L = M » 1*96  M/  /JT  and  upper  MTBF  as 
JJ  •=  m + 1*96  M/yU.  As  the  failure  rates  in  the 
different  environments  are  different , it  is  neces- 
sary to  find  an  equivalent  time,  T,  and  equivalent 
MTBF,  Mj  soothe  equations  used  in  major  Paragraphs 
5 and  4 of  the  section  can  be  transformed  from 


R » e xp 


h S h 


— ~rf~  to  B = e 


*5 


= e-T/M 


Table  A-l  tabulates  M and  T for  the  various  unity 
stress  level  cases*  The  values  of  T/M  are  shown 
in  the  body  of  the  paper* 

From  Table  1 it  Is  seen  that  710  failures 
occurred  during  the  testing  for  evaluating  the 
Failure  Rate  of  the  most  numerous  components  in 
the  forward  section,  and  from  Table  2 it  is  seen 
that  38  failures  occurred  during  the  testing  of 
propulsion  systems*  So,  for  the  forward  section, 
n is  considered  to  be  710  with  /rT = 26.65;  and  for 
the  AJ10-104  propulsion  system,  n is  with  /n  - 
6,l6* 


Table  A-2  shows  T and  M as  well  as  confi- 
dence limits  for  the  unity  stress  level. 

The  technique  of  ^Tolerancing  by  the  Dif- 
ferential Method" 5 was  used  in  finding  the  confi- 
dence limits  for  the  overall  system  (i-e.,  propul- 
sion system  and  forward  section). 

In  this  method  if  F = F (x,y)  and  the 
standard  deviations  and  By  are  known  or  are 
estimated,  then  the  standard  deviation  of  F can  be 
computed  as 

1/2 

. 2 2 2 2\* 

5F  - (F  s^  + F s ) 
v x x y y 

In  the  present  case  F * R^  R^  where  E-j  is  the  re- 
liability of  the  propulsion  system  and  Eg  is  the 
reliability  of  the  forward  section. 


New  Fr^  ^ R^  and  F^  - R1*  In  computing 

the  upper  limit,  s (%^  ~ R^)  l/l*9^  and 

SjjUg  = (Ry2  - Eg)  1/1.96  Where  and  R^  are 

upper  limits  for  the  reliabilities  of  the  propul- 
sion system  and  forward  sections  respectively. 
Similarly  = (\  - Bj^)  lA*96  ahd  Sri^  = 

(R2  - Rj^)  1/1*96  are  computed  where  Rj^  and  R^ 

are  the  lower  limits  for  the  reliabilities. 

The  upper  95$  limit  of  reliability  is, 

Hx  R2  + 1*9& 

• i/42<V  V2  r§s  + h2\-h? 

■ Vs  t|/8/(V  Ri>2  + h‘\-  %>2 

and  the  lower  95$  limit  of  reliability  is, 

<Rl  - \>2  + Kl2  ^ - %>2 


References 


I*  Maj.Gen*  L.J.  Davis,  Reliability  in  Missile 
and  Smce  Operations  IRE  Transactions,  Febru- 
ary 8,  1961. 

2,  Reference  (l)  MMP  59^1  Published  by  Martin 
Co.,  Denver,  Colorado,  9 July  1959- 

5.  Toleranclng  by  the  Statistical  or  Differential 
Method,  by  Dr*  J.N.  Berrettone,  Page  9&,  Auto- 
motive  Supplement  No*  1,  published  by  American 
Society  for  Quality  Control,  May  1954* 


223 


TABLE  A-2 


95  PERCENT  CONFIDENCE  CALCULATIONS  FOR  SUB-SYSTEMS 


M 

T 

Type  of  Analysis 

Sec . 

Sec . 

Transit  2 -B  perfect 
propulsion  system 

78,500 

1756 

Transit  2-B  acceptable 
propulsion  system 

116,000 

1736 

Courier  1-B  perfect 
propulsion  system 

80,000 

2576 

Courier  1-B  acceptable 
propulsion  system 

117,000 

2576 

Transit  2-B  perfect 
forward  section 

289, 000 

1756 

Transit  2-B  acceptable 
forward  section 

577,000 

1736 

Courier  1-B  perfect 
forward  section 

309,000 

2576 

Courier  1-B  acceptable 
forward  section 

419, 000 

2576 

1.96  M 
/n 

95^  Confidence 
Limits  on  MTBF 

Lower  Upper 

95 1°  Confidence 
Limits  on 
Reliability 
Lower  Upper 

25,000 

53,500 

103, 500 

96.8 

98.3 

57,000 

79, 000 

152,500 

97-8 

98.7 

25, 000 

54,000 

105,000 

95-4 

97-6 

37,000 

80,000 

154,000 

96.8 

98.3 

21,000 

268,000 

310,500 

99-4 

99-4 

28, 000 

350,000 

405,000 

99-5 

99-6 

23,000 

286,000 

332,000 

99-1 

99-2 

31,000 

388,000 

450,000 

99-3 

99-4 

224 


TABLE  A-l 


RELIABILITIES  AMD  TIME  STRESSES  EOR  SUB-SYSTEMS 

T M 


( Propulsion  System 

e-T/M 
• 978 

t/m 

.0221 

X 

(sec) 

1736 

(sec) 

78,552 

Perfect 

( Forward  Section 

• 994 

• 0060 

1736 

289,333 

Transit  2-B 

( Propulsion  System 

• 985 

.0150 

1736 

115,733 

Acceptable 

( Forward  Section 

• 995 

.0046 

1736 

377,391 

(Propulsion  System 

.968 

.0525 

2576 

79,752 

Perfect 

( Forward  Section 

•992 

.0083 

2576 

300,910 

Courier  1-B 

( Propulsion  System 

•978 

.0220 

2576 

117,091 

Acceptable 

( Forward  Section 

• 994 

.0062 

2576 

418,862 

225 


* 


BE  LIABILITY  ANALYSIS  OF  REDUNDANCY  MECHANISMS 
by 


Nathan  Llchter 

Grumman  Aircraft  Engineering  Corporation 
Bethpage,  New  York 

and 

Gilbert  Friedenreich 
Fairchild  Stratos  Spacecraft  Systems 
Bay  Shore , Hew  York 


Reliability  expressions  are  derived  for  two 
basic  functional  redundancy  techniques  as  applied 
to  a two -channel  system1!  active  redundancy  (both 
channels  operate)  and  standby  redundancy  (one 
standby  redundancy  (one  channel  operates;  the 
other  is  switched  in  upon  failure  of  the  first). 
Each  expression  is  investigated  for  the  effect  of 
the  following: 

1,  Failures  of  a channel  which  cause  the 
redundant  channel  to  fail, 

2*  Failures  of  a channel  which  do  not  effect 
the  redundant  channel, 

3 * Load  sharing, 

4,  Reliability  of  the  switching  device* 

The  equations  for  each  of  these  methods  and 
their  specific  parameters  are  contained  in  their 
respective  sections*  Solutions  to  these  equa- 
tions have  been  determined  over  a wide  range  of 
variables  using  the  IBM  JOtyQ  computer,  and  the 
results  are  shown  graphically  in  Figures  9 and  11* 
An  analysis  of  these  plots  leads  to  the  follow- 
ing observations  and  conclusions: 

1*  Active  redundancy  rather  than  standby 
redundancy  should  be  used  whenever  technically 
feasible  due  to  its  simplicity  and  reliability  po- 
tential resulting  from  load  sharing  (derating)  as 
noted  below* 

2*  The  traditional  reliability  expression 
for  active  redundancy, 

2 

rsystem  = 2RCHAIfflEL  “r  channel, 
may  provide  erroneous  conclusions  since  it  does 
not  allow  for  the  negative  effect  of  short  type 
failures  or  the  beneficial  effect  of  derating  re- 
sulting from  load  sharing  between  the  two  active 
channels.  Comparison  of  this  expression  with  that 
for  standby  redundancy  assuming  perfect  decision 
and  switching  devices  shows  that  standby  redun~ 
daney  reliability  is  only  slightly  greater  than 
active  redundancy  reliability  under  these  assump- 
tions (Figure  9) * 

3*  As  the  probability  of  short  failures  in- 
creases, the  reliability  of  the  active  redundant 


system  decreases  such  that  when  the  ratio  of  short 
to  open  failures  is  unity,  system  reliability  Is 
approximately  equal  to  the  reliability  of  a single 
channel*  System  failure  resulting  from  lf shorts" 
can  be  minimised  by  the  addition  of  isolation  de- 
vices in  each  channel  to  divorce  the  failed  chan- 
nel from  the  system, 

4*  On  the  other  hand,  if  the  active  redun- 
dant elements  exhibit  reduced  failure  rates  be- 
cause they  share  the  load  (derated),  system  relia- 
bility is  greater  than  that  obtained  from, 

2 

R « 2R--R-  . Assuming  short  failures  are  negli- 

y y 

gible,  active  redundancy  reliability  will  exceed 
standby  redundancy,  even  with  perfect  switching, 
when  the  ratio  of  open  failure  rate  at  half  load 
(derated  operating  condition)  to  open  failure  rate 
at  full  load  is  one  half  (l/2)* 

5*  The  obvious  disadvantage  of  standby  re- 
dundancy is  the  complexity  resulting  from  the 
decision/switching  device*  An  open  type  failure 
in  this  device  fails  the  redundant  system,  and  a 
rapid  deterioration  in  system  reliability  results 
as  the  open  type  failure  rate  increases  as  shown 
in  Figure  11, 

6.  Neglecting  the  open  type  failure  of  the 
switching  device,  the  reliability  of  the  standby 
redundancy  system  will  always  exceed  2R^  - 

provided  the  probability  of  successful  switchover 
from  the  failed  channel  to  the  standby  channel  is 
greater  than  the  reliability  of  the  channel  it- 
self. 

( 

Introduction 

Systems  designed  for  extended  missions  often 
apply  redundancy  when  complexity  and  the  inherent 
part  failure  rate  preclude  achieving  desired  re- 
liability goals*  There  are  various  ways  of 
achieving  redundancy.  In  view  of  limitations  on 
weight  and  space,  it  is  important  that  optimum 
methods  be  selected,  compatible  with  the  design 
objective  * 

This  paper  presents  a technique  for  evaluat- 
ing two  types  of  redundancy:  active,  where  the 


22? 


redundant  components  function  continuously]  and 
standby,  where  the  redundant  components  do  not 
function  until  a failure  occurs,  whereupon  a 
switching  device  replaces  the  failed  component 
with  an  operable  one.  The  evaluation  is  made 
considering  the  effects  of  a number  of  variables 
such  as  short  and  open  type  failures,  load  shar- 
ing, and  reliability  of  the  switching  devices. 


Some  of  these  effects  have  been  presented 
separately  in  other  studies  but  this  paper  com- 
bines all  of  these  variables  into  a single  set  of 
equations. 3 ^ In  order  to  simplify  the  presen- 

tation, the  study  has  been  limited  to  the  exponen- 
tial distribution  and  second  order  redundancy. 
However,  the  method  itself  is  applicable  to  multi- 
channel systems  with  higher  order  redundancies  and 
for  distributions  other  than  the  exponential. 


The  method  is  useful  even  when  specific 
failure  rates  are  not  available  since  the  curves 
generated  can  be  applied  in  a qualitative  sense 
by  the  systems  designer. 


Single  Channel  Reliability 

The  term  "channel"  is  used  in  this  report  to 
describe  a determinate  path  of  flow  between  two 
points  and  may  consist  of  a part,  element,  group 
of  parts,  module,  subsystem,  or  equipment  and  its 
connecting  hardware.  Thus  it  is  assumed  that 
where  a channel  consists  of  many  parts  or  elements 
in  series,  a failure  of  any  one  may  interrupt  the 
flow  and  will  contribute  to  channel  failure. 

If  the  failure  pattern  of  the  channel  can  be 
described  by  the  exponential  distribution,  the 
total  channel  failure  rate,  A , is  then  equal  to 
the  sum  of  the  failure  rates  of  the  individual 
parts.  Carhart  defines  the  reliability  of  such  a 
configuration  as;! 

R = exp  |-Atj,  (l) 

where 


A * total  failure  rate  of  channel,  and 
t a*  mission  time 


Active  Redundancy  - Independent  Channels 

When  two  independent  channels,  each  capable 
of  performing  the  same  task,  are  both  functioning 
continuously  they  are  considered  actively  redun- 
dant. This  situation  is  portrayed  in  Figure  1. 


B 


Figure  1 


The  term  "independent”  means  that  the  per- 
formance, or  loss,  of  one  channel  has  little  or 
no  effect  on  the  failure  probability  of  the  other. 
It  is  not  necessary  for  both  channels  to  be  phys- 
ical!y installed  parallel  in  order  to  be  function- 
ally parallel  in  a reliability  sense.  For  example, 
two  check  valves,  A & B,  are  installed  in  series 
to  insure  against  reverse  flow  as  shown  in  Figure 
2A.  There  are  essentially  three  modes  of  failure 
that  can  occur  to  each  of  these  valves : 

1.  Failure  to  close  when  flow  reverses. 

2.  Failure  to  open  when  flow  commences. 

3.  External  leakage. 


A ^ 

B 

A 


Figure  2 


Figure  2B  is  the  reliability  block  diagram  repre- 
senting the  above  arrangement,  with  subscripts  1, 
2,  and  3 indicating  the  modes  of  failure  dis- 
cussed above. 

This  example  was  chosen  to  demonstrate  the 
choice  of  the  term  "Active  Redundancy"  rather  than 
"Parallel  Redundancy."  The  word  "parallel"  is 
sometimes  misleading,  implying  physical  arrange- 
ments and  possibly  ignores  certain  modes  of 
failure. 

For  certain  installations,  failure  modes  2 
and  3 are  virtually  non-existent  so  that  Figure  2B 
reduces,  to  that  portrayed  by  Figure  1. 

The  probability  of  system  success  can  be 
shown  to  be:l 

rt  = ha  + kb  " RARB  ' ^ 

where 

R^  = reliability  of  channel  A,  and 

Rg  = reliability  of  channel  B. 

If  both  channels  are  identical,  or  have  the 
same  reliabilities,  R.  « R = R,  Equation  (2)  re- 
duces to: 

= 2R-R2.  (3) 


228 


Since  very  few  systems  will  ever  approach  the 
ideal  independent  conditions  defined  above.  Equa- 
tions (2)  & (3)  can  be  considered  as  theoretical 
independent  active  redundancy . 


When  the  exponential  distribution  is  consid- 
ered applicable.  Equation  (2)  may  be  rewritten  as 
follows : 

Ht  = exp  |-*At] 

+ exp  - exp  |-UA  + ^gH  j > (*0 

where 

» total  failure  rate  of  channel  A, 

X_  * total  failure  rate  of  channel  B,  and 

jd 

t = mission  time. 


If  both  channels  have  the  same  failure  rates, 
XA  = XB  = Equation  (k)  reduces  to: 

R,p  = 2 exp  |-XtJ  - exp  J-2Xt|.  (5) 


Both  channels,  A and  B,  each  carrying 

half  load,  function  successfully  until  time 

where  A fails  - due  to  an  open  type  failure,  and 
B continues  to  function  at  full  load  until  time  t 


Same  as  P^, 
tinues  to  function. 


except  B fails  and  A con- 


The  following  diagram,  Figure  3,  represents 
these  successful  modes. 


Time 


Active  Redundancy  - Dependent  Channels 

In  most  cases  of  active  redundancy  certain 
types  of  failure  possibilities  exist  where  the 
entire  system  will  be  affected.  If  the  channels 
A and  B in  Figure  1 are  electrical  in  nature,  a 
short  or  ground  type  failure  in  either  A or  B will 
result  in  system  failure,  whereas  an  open  type 
failure  will  not  affect  system  operation.  A sim- 
ilar situation  can  be  cited  for  a hydraulic  sys- 
tem, If  A and  B represent  hydraulic  pumps,  a 
large  leak  or  pump  casing  burst  will  deplete  the 
reservoir  and  consequently  cause  complete  system 
failure.  It  is  apparent  then  that  as  the  ratio  of 
probability  of  short  type  to  open  type  failures 
increases,  a point  may  be  reached  where  active 
redundancy  provides  lower  reliabilities  than  a 
single  channel.  This  ratio  is  later  shown  to  be 
approximately  unity. 


(3) 


A*  & B! 


where:  A*  = operation  of  A at  half  load. 

B'  = operation  of  B at  half  load. 

A = operation  of  A at  full  load. 

B = operation  of  B at  full  load. 

= time  to  first  channel  failure. 


Figure  3 


Mathematically,  the  probability  of  these  oc- 
curences may  be  expressed  as  follows: 


pd) 


(6) 


In  many  applications  of  active  redundancy, 
the  load  is  actually  shared  by  the  two  channels 
where  each  channel  is  capable  of  carrying  the  en- 
tire load.  This  factor  should  be  considered  in 
estimating  the  system  reliability  since  numerous 
equipments  exhibit  a decrease  in  failure  rate  with 
decreasing  load.  Thus  if  channels  A and  B each 
carry  half  the  load,  the  individual  channel  fail- 
ure rate  may  be  considerably  less  than  normal, 
until  one  fails,  whereupon  the  other  takes  on  the 
full  load  at  a higher  failure  hazard. 


where 

R*  a*  probability  that  channel  A does  not 

fail  for  any  reason  at  half  load 
during  time  interval  0 to  t,  and 

t 

Rg  = Probability  that  channel  B does  not 

fail  for  any  reason  at  half  load 
during  time  interval  0 to  t. 

p(2)  - 4;  VRst;  > <7> 


The  dependent  active  redundancy  system  can 
be  successful  in  the  following  modes  of  operation. 

P^  Both  channels,  A and  B,  each  carrying 
half  load,  function  successfully  until  time  t. 


where 

(l-R*  ) = probability  that  channel  A fails 
KO  to  open  at  half  load  during  time 
interval  0 to  t, 


229 


^At  s = Probability  that  channel  A does  not 
1 fail  due  to  a short  type  failure  at 

half  load  during  time  interval  0 to 


^Btr  51  Probability  that  channel  B does  not 
1 fail  for  any  reason  at  half  load 

during  time  interval  0 to  t^,  and 


T = Probability  that  channel  B does  not 
1 fail  for  any  reason  at  full  load 
during  time  interval  t^  to  t, 

where 


% 


= probability  that  channel  B does  not 
fail  for  any  reason  at  full  load 
during  time  interval  0 to  t?  and 

- probability  that  channel  B does  not 
fail  for  any  reason  at  full  load 
during  time  interval  0 to  t|. 


?(3)  ^1-IW  RAt|  RA^RAt^ 


(0) 


where  the  definitions  for  Equation  (7)  apply  ex- 
cept that  the  channel  identification  reverses , 
since  B fails  and  A continues  functioning. 


Therefore,  the  probability  of  success  of  an 
active  redundant  system  will  be  the  summation  of 
the  probability  of  success  of  each  of  the  above 
possible  modes  of  operation,  or; 

= P(l)  + P(2)  + P(3) 

- rabb  + ^LKt'xs  RBt; 

+ <«&,;>  RBt;E  R«’  RA/RAt^  (9) 


Now  if  there  is  no  possibility  of  short  type 
failures,  — *-l  and  Rq — *~R,  Equation  (ll)  re- 

^ 2 

duces  to  R^  = 2H-B  , which  is  the  same  as  Equation 

(3)  for  independent  active  redundancy.  Thus  Equa- 
tion (3)  is  the  special  case  of  Equation  (9)  where 
the  channels  are  identical  and  the  performance  of 
either  channel  is  completely  independent  of  the 
other* 

Exponential  Failure  Pattern 

Assuming  that  the  failure  pattern  of  the 
channels  is  exponential.  Equation  (lO)  can  be  re- 
written as  follows : 

Rt  = exp  [-2A't] 

+ 2 exp  J-(A'  + A's  -A)t^-At] 

(l  “ exP  [-Ait]  ),  (12) 

where 

A ^ = failure  rate  for  open  failures  of  either 
channel  at  half  load, 

1 

Ag  ~ failure  rate  for  short  failures  of 
either  channel  at  half  load, 

Kl  - total  failure  rate  of  either  channel  at 

half  load,  A r = A ' T A 1 , 

' os 

A = total  failure  rate  of  either  channel  at 
full  load, 

t = mission  time,  and 

t 

= time  at  which  primary  channel  fails. 

Before  Equation  (l2)  may  be  applied,  an  esti- 
mate of  must  be  made  since  it  is  usually  the 
only  parameter  not  normally  available. 


In  many  applications  channels  A and  B can  be 
assumed  to  be  identical.  Therefore  R^  R^  » R1, 

RAt;  = Rk;  - r;s  - p'to  = Rk  BAtis=  Rkls  - 

Rt;s>  ra  = rb  3 E ma  \t’  c 3 Rq- 

Substituting  these  values  in  Equation  (9)  and 
simplifying  yields; 


- Rt  + 2mt[  Rt;s 


(10) 


If  the  channels  of  the  system  under  analysis 
do  not  reflect  a change  in  the  probability  of  suc- 
cess with  changing  load,  then  R - Rf,  R+  ■ *=  B ' ■ , 

t,  t-. 


E ^ R and  B.  r = B . T , 
o 0 t s t^s 


B™  = R2  + 2RH  1 (l-R  ) 
T t^s  s o/ 


(11) 


The  exponential  failure  pattern  of  the  chan- 
nel is  shown  in  Figure  4, 


r — i; 

‘a 

■a 

■8 

U 

ft 


9 

£ 


Time 


230 


Figure  4 


The  mission  time,  t,  should  usually  be  sub- 
stantially less  than  1/at,  the  me  an -time -be  tween - 
failures.  The  expected  value  of  t^  will  be  the 
mean  of  the  shaded  area  tinder  the  probability 
density  function  (Figure  4)  or: 


E(t|) 


S0  t(x'exp  [-A'tj)dt 
l1  exp  |-  t J 4t 


(13) 


Solving  Equation  ( 13 ) for  the  expected  value 
of  the  tine  at  which  the  primary  channel  fails 
yields : 


t exp 

1-exp 

M 

t 

exp  | 

(14) 


(15) 


If  the  same  assumption  is  made  as  in  the  der- 
ivation of  Equation  (ll)  where  the  channels  of  the 
system  under  analysis  do  not  reflect  a change  in 
probability  of  success  with  changing  load,  then 

A - x T . A “A  1 and  A = W Substituting  into 
J Q 0 s S 

Equation  (ll)  and  simplifying  the  results; 


Eg,  = exp 


+ 2 e*p  Kq-H 


(l  - exp  [-A0tj)  (l6) 

Mote  that  the  prime  in  is  retained  since 
t^  is  also  based  upon  open  failures.  It  is  shown 
later  that  t^,  the  expected  time  at  which  the 
primary  channel  of  a standby  redundant  system 
fails,  is  a function  of  both  open  and  short  type 
failures . 

Again  assuming  that  there  is  no  possibility 
of  short  type  failures,  A — -o,  and  Equation  £l6) 
reduces  to; 

E^  = 2 exp  J-Atj  - exp  j-2Atj  (l?) 

Equation  (l?)  is  identical  to  Equation  (5) 
again  proving  that  the  assumption  of  active  re- 
dundancy with  independent  channels  is  only  a 
special  case  of  active  redundancy  with  dependent 
channels . 


Comparison  Of  Independent  And  Dependent 
Active  Kedundancy  Equations 


Graphic  Comparison 


System  reliabilities  computed  for  various  com- 
binations and  values  of  failure  rate  substituted 


in  Equation  (l6)  are  plotted  against  total  channel 
failure  rate  in  Figure  9.  The  effects  of  short 
type  failures , A 5 >0,  and  reduced  open  failure 
rate  with  shared  loads,  A^/a0  < 1,  are  shown  for 
a 1 year  mission  compared  with  the  reliability  of 
the  independent  active  redundant  system. 

The  curves  in  Figure  9 result  from  repetitive 
solutions  of  the  applicable  equations  utilising 
the  facilities  of  an  IBM  7090  digital  computer. 

It  can  be  seen  that  as  the  probability  of 
short  type  failures  increases,  the  reliability  of 
the  system  decreases  below  the  curve  representing 
a theoretical  independent  active  redundant  system, 
when  A S/A0  = 1,  system  reliability  is  approxi- 
mately equal  to  channel  reliability.  Conversely, 
if  the  equipment  exhibits  reduced  open  failure 
rates  because  the  load  is  shared  between  the  two 
channels,  A£/Aq  < 1,  system  reliability  increases 
above  the  theoretical  curve  and  may  exceed  a 
standby  redundant  system  with  perfect  switching, 
which  is  discussed  in  detail  in  the  following 
section. 

Analytic  Comparison 

Since  it  has  been  shown  that  A = A Q + As, 
Equation  (l6)  may  be  rewritten: 

Eg,  = exp  [-2(a.q  + Ag)t] 

+ 2 exp  [-Aati-U0  +Xs)t] 

(l  - exp  [-XQt]  ) (18) 


By  rearranging  this  equation  and  comparing 
the  result  with  Equation  (5),  a qualitative  com- 
parison may  be  made  between  estimates  of  system 
reliability  based  upon  independent  and  dependent 
redundancy.  Equation  (l8)  becomes: 

= 2 exp  jrA0tj  exp  [-As(tg  + t)] 

- exs  [-2V] 

j2  exp  [-Xs(t^  + t)] -exp  J-2AgtJ  j (19) 


Obviously  t[  < t (see  Figure  4 ) . It  follows 
then  that  exp  [-As(tq  + t ) ] > exp  [-2Agt]  and  that 
| 2 exp[-As(t'  + t)]  - exp  [ -2Ast]  J is  positive  and 
also  greater  than  exp  [-As(t^  + t)]  . The  first 
term  of  Equation  (l9)  is  smaller  than  the  first 
term  of  Equation  (5)  by  the  factor  exp  f^As(t^+t)j 
and  although  the  second  term  of  Equation  (19)  is 
smaller  than  that  of  Equation  (5)*  it  does  not 
diminish  as  rapidly  as  the  first  term  since 
[2  exp  [-As(tn+t)] -exp  [-2Ast]  [ >exp  [-Ae( t|+t ) J . 
Therefore  using  the  estimate  of  system  reliability 
based  upon  dependent  redundancy,  Equation  (19),  is 
always  less  than  that  obtained  by  basing  the  es- 
timate upon  independent  redundance.  Equation  (5). 


231 


The  preceding  discussion  proves  that  where 
short  type  failures  are  possible,  the  use  of 
Equations  (2)  through  (5)  will  lead  to  optimistic 
solutions* 

Further,  it  will  now  he  shown  that  it  is 
possible  for  a redundant  system  to  he  worse  than 
a single  channel.  Another  rearrangement  of  Equa- 
tion (l6)  yields: 

RT  » exp  | -At]  J exp  | - At  J 

+ 2 exp|xgt|j  ( 1-exp  [ -A-o-b ] ) J (20 ) 

But  exp  | -At  J = R,  the  channel  reliability,  then 

{ R+2  exp|xgt^J  ( 1-exp  |-XQtJ  )J  (2l) 

It  is  obvious  then,  that  when 

J r+2  exp|xstij  ( 1-exp  J ) j >1, 

then  R^  > R; 

and 

Jr+2  exp|\gti|  ( 1-exp  [ -XQt  J ) J = 1, 
then  Rg,  = R; 

and  when 

|r+2  exp  |xgtj|  ( 1-exp  [-XQt  ] ) j <1, 
then  R^  < R. 

Example 

A typical  square  wave  oscillator  power 
supply.  A,  is  shown  in  Figure  10.  To  im- 
prove reliability,  a second  power  supply,  B, 
has  been  placed  in  active  dependent  redun- 
dancy, The  circuits  have  been  modified  to  in- 
sure that  no  component  part,  failing  short, 
would  result  in  a system  failure.  This  was 
done  to  take  full  advantage  of  the  active  re- 
dundancy with  derated  channels. 

Equation  (12)  may  now  be  used  to  esti- 
mate the  system  reliability.  It  should  be  re- 
cognized that  A*s  = p and  that  A*  represents 

the  total  channel  failure  rate  at  half  load 
A*0  = A1  • An  assumption  is  made  that  the  fuse 

will  always  open  the  circuit  upon  an  equipment 
short  type  failure.  If  this  assumption  cannot 
be  considered  valid,  the  system  reliability 
would  be  estimated  by  the  method  discussed  later 
in  the  section  on  Dependent  Active  Redundancy 
With  Isolation  Devices. 

The  failure  rates  used  for  this  example  are 
shown  in  Table  I for  both  100^  and  50%  rated  out- 
put. For  a mission  time  of  one  year,  the  re- 
liability, R,  of  each  power  supply  channel,  is 


O.87I7,  When  applying  Equation  (12),  the  system 
reliability  is  found  to  be  0.9877* 

If  the  classical  equation,  referred  to  a 
independent  active  redundancy,  equation  (3),  was 
used,  the  system  reliability  would  be  estimated 
to  be  .9^35.  This  does  not  appear  to  be  sig- 
nificantly different  from  the  estimate  from 
Equation  (12).  However,  when  examining  the  un- 
reliability, Q,  where  1 = R + Q,  it  can  be  seen 
that  the  estimate  of  this  probability  of  failure 
has  been  increased  3^. 

Standby  Redundancy 

Figure  5 is  a schematic  of  a two -channel 
system  in  standby  redundancy,  Hote  that  the 
secondary  channel  (B),  is  completely  isolated 
from  the  primary  channel  (A),  by  a decision 
making  device  (D)  and  a switching  device  (s). 

The  secondary  channel  does  not  perform  any  func- 
tion unless  the  primary  fails,  and  the  secondary 
channel  is  successfully  switched  into  the  system. 


Figure  5 


An  example  would  be  two  amplifiers  connected 
in  parallel.  When  the  output  of  A falls  outside 
the  acceptable  tolerance  limits,  the  decision  de- 
vice triggers  the  switch  relay  to  replace  channel 
A with  channel  B to  maintain  system  operation . 

Two  switches  are  not  absolutely  necessary  to  ac- 
complish this  task,  but  serve  to  show  the  complete 
isolation  of  channel  B from  A.  Depending  on  the 
function  of  the  system  and  the  circuitry,  the 
second  switch  may  be  replaced  by  other  means  of 
isolation,  such  as  two  diodes  as  shown  in  Figure  6. 

The  schematics  in  Figures  5 and  6 portray 
circuitry  that  is  irreversible.  That  is,  once 
the  decision  device  has  required  switch-over, 
either  by  failure  of  the  primary  channel  or  by 
failure  of  the  decision  making  and/or  switching 
device,  it  cannot  reselect  the  primary  channel. 

The  consideration  of  systems  including  reversible 
decision  devices  is  beyond  the  scope  of  this  paper. 


232 


The  assumptions  made  or  implied  in  the  pre- 
ceding  paragraphs  are  summarized  below  to  facili- 
tate the  analysis . 


Figure  6 


The  following  diagram,  Figure  7,  illustrates 
these  three  successful  modes. 


Mathematically,  the  probabilities  of  these 
occurrences  can  be  expressed  as  follows : 


1.  The  channels  are  isolated  such  that  a 
failure  in  one  cannot  cause  failure  in  another. 

2.  The  standby  channel  is  not  affected  by 
the  environment,  i.e.,  the  failure  rate  before 
operation  is  negligible  compared  to  the  failure 
rate  during  operation. 


p(i) 

where 

R = probability  that  channel  A does 

A not  fail  for  any  reason  during 

time  interval  0 to  t,  and 


3.  The  dec is ion- switching  device  is  irrever- 
sible . 


An  examination  of  the  above  schematics  also 
indicates  that  the  decision  device,  which  may  con- 
sist of  a detector  or  monitor  and  a comparitor  can 
be  considered  in  series  with  the  switch  from  a re- 
liability standpoint.  Therefore,  the  term 
"switching  device"  will  hereafter  include  all  of 
these  items. 

The  system  appearing  in  Figure  5 can  he  suc- 
cessful, in  the  following  modes  of  operation. 


pd) 


The  primary  channel,  A,  operates  suc- 


cessfully up  to  time  t.  The  switching  device  is 
successful,  i.e.,  does  not  make  a false  decision, 
to  time  t . 


P 


(2) 


The  primary  channel  fails  at  time  t^. 


The  switching  device,  not  having  made  a false  de- 
cision, replaces  the  primary  channel  with  the 
secondary  channel,  B,  which  operates  successfully 
to  time  t. 


P(3) 


The  primary  channel  operates  until  the 


switching  device  makes  a false  decision,  at  time 
t connecting  the  secondary  channel,  which  oper- 


ates successfully  to  time  t. 


R ss  probability  that  switch  does  not 

make  a false  decision  during  time 
interval  0 to  t. 


P(2)  = (1-RA^  RSRt1  (23) 


where 


(l-R  ) = probability  that  channel  A does 
A fail  for  any  reason  during  time 
interval  0 to  t, 


RSRt1  = 


where 


probability  that  switch  has  not 
made  a false  decision  prior  to  t^, 

R , and  then  operates  success - 
SWt^ 

fully  when  channel  A fails  at  time 

h5  RSFt1}  °r  RSRt1=  RSWt1‘  RSFtL* 

It  is  not  necessary  for  the  switch 
to  operate  after 

probability  that  channel  B does  not 
fail  for  any  reason  during  time  in- 
terval t^  to  t. 


R s probability  that  channel  B does  not 

P fail  for  any  reason  during  time  in- 

terval 0 to  t,  and 


233 


Rgk  = probability  that  channel  B does  not 

1 fall  for  any  reason  during  time  in- 
terval 0 to  t^, 

P(3)  = ^1-IW  RAt2RB^RBt2  * ^ 

where 

(l-Rg^)  = probability  that  switching  device 
will  make  a false  decision  at  time 
during  the  time  interval  0 to  t, 

R = probability  that  channel  A functions 

2 successfully  until  false  decision  by 
switch  at  time  t^,  After  it  does 

not  matter  whether  channel  A is  ca- 
pable of  functioning  or  not. 


relay  would  appear  to  the  switching 
device  as  an  open  failure  in  channel 
A.  The  switch  would  then  initiate 
the  relay  to  energise  channel  B,  It 
would  appear , therefoi-e,  only  neces- 
sary to  consider  the  open  contact 
type  of  the  relay  from  time  to  t. 

The  choice  of  the  time  interval  is 
dependent  upon  the  exact  design  of 
the  switching  device,) 

Equation  (25)  can  be  considered  a special 

case  of  Equation  (26)  where  R = 1,  Obviously 
< bO 

= B since  R =1.  Therefore,  it  is  evident 
that  the  switching  device  should  be  designed  so 

th0t  RgQ  — 1 ■ 


V^tg 

where 


probability  that  channel  B does  not 
fail  for  any  reason  during  time  in" 
terval  to  t. 


Rg  - probability  that  channel  B does  not 

fail  for  any  reason  during  time  in- 
terval 0 to  t,  and 

R - probability  that  channel  B does  not 

t2  fail  for  any  reason  during  time  in- 

terval 0 to  tg* 


In  many  cases  of  standby  redundancy,  chan- 
nels A and  B are  identical  and  capable  of  per- 
forming the  same  function.  Under  these  condi- 


tions R^  - Rg  - R, 


V =V  = Rt,  and 


1 ^ 1 “1 
^At  " ^Bt  ” \ " these  values  in 

Equation  (25)  and  rearranging  yields: 


rt  - “I1  + (1-R>  =W 


Al 


(27) 


The  following  observations  should  be  noted: 


The .probability  of  system  success  will  be  the 
summation  of  the  probability  of  success  of  each 
of  the  above  modes  of  operation,  or : 

^ = P(l)  + P(2)  + P(3) 

= RARSW  + ^1-RA^  RSRt1RB^,RBt;L 

+ <25) 

This  equation  does  not  include  the  probability 
of  switch  contacts  falling  open.  This  approach 
is  considered  reasonable  since  it  is  feasible  to 
design  equipment  where  the  probability  of  this 
type  failure  is  highly  remote*  In  cases  where 
this  type  failure  cannot  be  eliminated,  Equation 
(25)  is  modified  as  follows  to  include  this 
factor : 

rtt  = rsort 

= RSo[RARSV!  + ^L“RA^  RSBt1RB^RBt1 
+ ^1-RSW^  RAt2VRBt2]’ 

where 

^SO  = probability  that  the  switch  will  not 
fail  open  during  the  time  interval 
0 to  t,  (Note  that  a further  examina- 
tion of  Figure  6 reveals  that  a fail- 
ure caused  by  an  open  contact  of  the 


1.  The  terms  involving  t (time  at  which 

the  switching  device  makes  a false  decision)  drops 
out  of  the  equation.  This  indicates  that  the  re- 
liability of  a standby  redundant  system  with  two 
identical  channels  is  independent  of  the  time 
at  which  the  switching  device  makes  a false  deci- 
sion. 


Although  the  term  R^  (probability  of  no  false 

decision)  has  also  dropped  out  of  the  equation, 
it  is  related  to  the  term  R . where  R«_  = 

RSW#^SF;  see  (23) . Thus  successful 

operation  is  equally  dependent  on  both  the  de- 
cision device  not  making  a false  decision  and  the 
decision  device  functioning  satisfactorily  upon 
failure  of  the  first  channel. 


2.  The  reliability  of  the  standby  redundant 
system  will  never  be  less  than  that  of  a single 


channel,  i.e*,  R^>  since  fl  + (l-R) 


> 1 be- 
s is  true. 


cause  R is  always  less  than  unity,  Th: 
regardless  of  the  value  of  the  probability  of 
sucessful  switch-over,  since  HSRt  /f^  —a 

— *-0*  (Note  that  these  con- 


only  when  R 


SRtn 


elusions  neglect  the  possibility  of  open  type 
switch  failures,  i.e,,  —1). 


3,  For  standby  redundancy  to  be  more  reli- 
able than  theoretical  independent  active  redun- 
dancy, the  probability  of  successful  switch-over 
must  be  greater  than  the  reliability  of  an  indi- 


23^ 


vidual  channel,  Ron>R.  This  statement  is  proved 
m / 

as  follows:  If  RgR  = R,  then  RgRt  /Rt  1,  and 

1 

equation  (27)  then  reduces  to  = 2K-R  which  is 


equation  (3}>  theoretical  independent  active  re- 
dundancy* (however,  recall  that  equation  (3)  does 
not  include  the  possibility  of  short  type  failures 

and  assumes  E = R . Also*  again  note  the  assump- 
o 


tion  that  R ^ — ^l)* 


It  was  shown  previously  that  if  short  type  failures 
are  possible  and  the  equipment  under  consideration 
does  not  reflect  increases  in  reliability  with  re- 
duced load,  the  reliability  of  an  active  redundant 
system  will  he  less  than  that  expressed  by  Equa- 
tion (3)>  R^CSR-R2 * 4,  Therefore  it  is  concluded 

that  under  these  conditions,  standby  redundancy 
will  yield  improved  results  over  active  redun- 
dancy as  long  as  Rg  >R  and  R^ — *-X. 


Exponential  Failure  Pattern 


If  the  failure  pattern  of  the  channels  and 
the  switch  is  assumed  to  be  exponential,  Equa- 
tion (25)  may  be  rewritten: 


V eXp[“(XA  +ASW}  *]  + (i-eXP['AAt]) 

exp["AsA]  exp  [~AB  (t  _tl^i 

+ (l-exp[-Xg^t] ) «qp[-i.Ata] 

exp  | -*B  (t  - t^)j , (28) 

where 

A . = total  failure  rate  of  channel  A, 

A 

A - total  failure  rate  of  channel  B, 

A = failure  rate  of  switching  device 
making  a false  decision. 


A 


SR 


total  failure  rate  of  switching  device 

A +A 

SWt  SF 


where 

A = failure  rate  of  switching  device  not 
operating  properly  when  required, 

t - mission  time, 

t^  = time  at  which  channel  A fails,  and 

t^  = time  at  which  false  decision  is  made 
by  switching  device* 

Vfhen  channel  A is  identical  to  channel  B, 
A^  - A R - A,  Substituting  into  Equation  (20) 

yields : 

- exp  |-AtJ  j l+(  1-exp  [-At  ] ) 


exp 


A)tl] 


Before  Equation  (29}  may  be  applied,  it  will 
be  necessary  to  determine  the  value  of  t^,  the 

expected  time  at  which  the  primary  channel  fails. 

The  expected  value  of  tT,  has  been  derived 
in  Equations  (l4)  and  (l!5).  In  this  application 
however,  the  failure  of  the  primary  channel  is 
based  upon  the  total  failure  rate  at  full  load 
rather  than  open  failures  at  half  load.  There- 
fore E(t^)  : 

^ ^ 1 t 

lV  “ A ~ exp  [At]  -I  (30) 

Substituting  the  expected  value  of  t^  into 

Equation  (29}  provides  the  most  useful  form  for 
comparitive  studies, 

Rt  = exp  [-At  j | 1 + (1-exp  [-At  j ) 

exp  [-bSH"X)  ( A "exp  [At]  -l)]  ^ 


Comparison  of  Active  And  Standby 
Redundancy  Equations 


Graphic  Comparison 

Figure  9 shows  that  for  a mission  time  of 

1 year,  where  short  type  failures  are  not  possi- 
ble t A  *  1 - A = 0.  active  redundancy  can  exceed 

s s 

standby  redundancy  with  perfect  switching  when 
the  ratio  of  channel  failure  rate  at  half  load 
to  full  load  is  one  half,  A'/ A = 1/2* 

Therefore,  in  the  general  case,  where  short 
type  failures  are  possible  and  the  equipment  ex- 
hibits reduction  of  failure  rate  with  reduced 
load,  it  will  be  necessary  to  solve  both  Equa- 
tions (12)  and  (29)  to  determine  which  type  of 
redundancy  will  provide  the  highest  reliabilites , 

Figure  11  shows  the  effects  of  switching 
reliabilities  on  system  reliability  for  a one 
year  mission  and  compares  standby  redundancy 
against  independent  active  redundancy  and 
single  channel  reliability*  Curve  1 is  the 
maximum  reliability  obtainable  with  a standby 
redundant  system  since  perfect  switching  is 
employed.  Curves  2,  3j  and  4 show  the  rapid 
degradation  of  system  reliability  as  switching 
device  failures  are  introduced.  However,  curve 

2 illustrates  that  if  the  switching  device  can- 

not  fail  open,  reasonable  improvement  is  made 
over  single  channel  reliability  even  with  low 
probability  of  successful  switchover  and  curve 

4 demonstrates  that  it  cannot  be  worse  than 
single  channel  reliability* 

Now  where  even  the  slight  possibility  of 
open  type  failure  of  the  switching  device  ex- 
ists, as  shown  in  curve  3^  considerable  re- 
duction of  system  reliability  occurs,  espe- 
cially in  the  area  of  low  channel  failure  rates. 
The  low  failure  rates  portrayed  in  the  abscissa 


(29) 


235 


of  Figure  11  imply  very  simple  channels  and 
thus  even  low  failure  rates  of  the  switching 
device  of  curve  3 will  indicate  poor  system 
reliabilities.  It  should  be  apparent  then  that 
standby  redundancy  can  be  better  justified  where 
more  complicated  equipment  (those  having  higher 
failure  rates)  are  employed. 

Note  also  that  if  the  second  assumption  for 
the  configuration  in  Figure  6 is  not  entirely 
valid;  the  standby  redundant  system  reliability 
as  computed  by  Equations  (27)  and  (3l)  may  be 
slightly  optimistic.  However,  a degree  of  con- 
servatism can  be  obtained  by  assuming  a small 
increase  in  the  basic  failure  rate  of  the  chan- 
nel when  applying  the  standby  redundancy  equation. 

Analytic  Comparison 

If  equipment  exhibits  a reduction  in  failure 
rate  with  reduced  load,  it  is  possible  that  the 
reliaoility  of  an  active  redundant  system  can  ex- 
ceed the  reliability  of  a standby  redundant  sys- 
tem even  if  100$>  perfect  switching  is  employed. 

To  prove  this,  the  possibility  of  short  type  fail- 
ures are  neglected,  a — *~0,  X*  — 

S 3 

Equation  (12)  for  dependent  active  redundancy 
reduces  to : 

= exp  j-2 A?t  J + 2 (1-  exp  |-A!tJ) 

ezp  j-(A’-A)  J exp  |-Atj  (32) 

and  assuming  perfect  switching,  AgR — -0,  for  equa- 
tion (29)  yields: 

R^  = exp  |-At|  + (1-exp  |~Atj ) exp  j^t^ 

exp  |-AtJ  (33) 

The  first  term  of  Equation  (32)  will  be 
greater  than  the  first  term  of  Equation  (33)  when 
A'<(A/2).  The  second  term  of  Equation  (32)  can 
be  greater  than  that  of  Equation  (33)  since 
A*  ^ A y < t and  exp  j-(A'-A)  t^J  is  always 

positive,  i.e.,  2(l-exp  [-A* t]  ) exp  j-(A'-A)t^J 
can  he  less  than  or  greater  than  ( 1-exp  [-At] ) 
exp  J>t  J depending  on  the  relative  values  of  A 

and  V . It  also  follows  that  as  A1— *-0,  Equation 
(32)  approaches  unity  for  any  value  of  A^  where 

0 ^ A = 00 
Example 

Consider  once  again  the  square  wave  oscil- 
lator power  supply,  Figure  10,  used  as  the  ex- 
ample for  active  redundancy.  In  this  application 
the  same  power  supply  channels  are  connected  in 
a standby  redundant  configuration,  similar  to 
that  shown  in  Figure  6. 

Bata  collected  by  the  Reliability  Control 
Section  at  Grumman  Aircraft  Engineering  Corpora- 
tion has  shown  that  a realistic  estimate  of  the 
total  failure  rate  of  the  switch  electronics, 


AQR,  is  1.51  x 10 "6,  in  addition,  the  design  of 

the  device  is  assumed  to  be  such  that  any  type 
of  failure  will  activate  the  switching  relay  and 
also  that  the  relay  is  designed  so  that  the  prob- 
ability of  an  open  contact  is  extremely  remote. 
Thus  Equation  (29)  applies. 

Substituting  A , from  Table  I,  into  this  equa- 
tion results  in  a standby  redundant  system  over- 
all reliability,  R^,  equal  to  0,9905  as  compared 

to  O.9677  fo r active  dependent  redundancy.  In 
other  words,  if  the  assumptions  made  have  been 
correct,  the  standby  configuration  shows  a slight 
improvement  over  the  active  redundant  system. 

Of  course,  in  making  a decision  as  to  the  type  of 
configuration  to  recommend,  consideration  must  he 
given  to  such  parameters  as  wear  out,  maintain- 
ability, availability,  etc. 

Dependent  Active  Redundancy  - 
With  Isolation  Device 

The  previous  discussions  indicate  that  the 
systems  designer  should  attempt  to  use  active 
redundancy  whenever  the  equipment  exhibits  re- 
duced failure  rates  with  reduced  load.  Such  sys- 
tems are  usually  lighter  and  simpler,  when  tech- 
nically feasible.  However,  further  increase  in 
system  reliability  may  result  from  the  addition 
of  isolation  devices  in  each  of  the  redundant 
channels  to  prevent  an  equipment  short  from  fail- 
ing both  channels  and  draining  the  power  supply. 

Figure  8 illustrates  a two-channel  active 
redundant  system  with  isolation  devices.  When 
a short  occurs  in  one  of  the  equipments,  the 
switching  device  isolates  the  channel  from  the 
system  permitting  the  surviving  channel  to  pick 
up  the  full  load  to  continue  system  operation. 


236 


Figure  8 


The  reliability  of  an  active  redundant  sys- 
tem with  isolation  devices  is  expressed  by  the 
same  equation  developed  for  the  active  redundant 
system  less  the  isolation  devices  (Equation  12) 
except  that  the  terms  in  the  equation  are  in-r 
terpreted  as  indicated  below  to  fit  this  appli- 
cation. Equation  (12 ) is  repeated  here  for  con- 
venience : 

= exp  | -2  X*  t J + 2 exp  |-(ai  + X^  -x)  t^-Xt j 
(l-exp  [ - A'0t  j ) , 

where 

X = equipment  ’’short*'  failure  rate  at  full 
s load, 

X = channel  "open"  failure  rate  at  full 
0 load, 

= equipment  ’’open"  failure  rate  + isola- 
tion device  (switch)  "open"  failure 
rate  + inadvertent  switch-over  failure 
rate,  or 

= X Equip.  Q + XS0  + XSW, 

X = total  channel  failure  rate  at  full  load. 


t = mission  time,  ( 

t,  - i __L_  * 

tl  " X’  exp  [x’t]  -1 

X*  = channel  "open"  failure  rate  at  half  load, 
o 

= equipment  "open"  failure  rate  + isola- 
tion device  (switch)  "open”  failure 
rate  + inadvertent  switch-over  failure 
rate,  or 

= x*  Equip.  + XS0  + ASW 

X*  = channel  failure  rate  at  half  load  re- 
s suiting  from  both  an  equipment  "short" 
failure  and  the  inability  of  the 
switching  device  to  open  the  circuit 
to  isolate  the  shorted  equipment  from 
the  system  and  is : 

~ t x X’ s xXgF, 

where 

^ = equipment  short  failure  rate  at  half 

S1  load,  and 


X = isolation  device  failure  rate  (not 
S functioning  when  required), 

X*  - total  channel  failure  rate  at  half 
load 


The  probability  (P)  that  a channel  will 
not  fail  due  to  an  equipment  short  failure  is 
a function  of  the  short  failure  probability  and 
the  probability  that  the  isolation  device  will 
successfully  open  the  shorted  circuit  immediately 
following  the  short.  Using  equation  (4)  to  ex- 
press the  joint  probability,  P,  that  either  event 
will  be  successful: 

P = exp  [-X'Bt]  = exp 

+ exp  [-AgFt]  - exp  [ -(  A'^  + A^)  t]  (34) 

Rearranging  terms.  Equation  (34)  becomes 
P = exp  J-A'gtJ  = l-(l-exp  j'-A*  t j) 

(1-exp  |-*sptj,)  ^35) 

It  has  been  shown  in  the  literature  that  the 
approximate  solution  of  eXp  [-x]  where,  exp  [-x] 

^ 1-x,  introduces  very  little  error  when  the 
value  of  the  exponent  is  small  (x  4 0 .3  )}->£  If 

it  is  assumed  that  the  exponents  in  the  above 
equation  are  within  the  acceptable  range,  then 
the  equation  may  oe  rewritten: 

l-A*st«l-(A'Sit)  (Xspt) 


x's  ~ A'  s1  XSFt 

A comparison  of  the  reliability  equations 
for  active  redundancy  with  and  without  isolation 
devices  indicates  that  no  general  statement  of 
trend  can  he  made  as  to  which  is  the  better  from 
the* reliability  viewpoint.  The  comparison  must 
be  made  for  a specific  application  on  the  basis 
of  the  detail  design  of  the  redundant  arrange- 
ment and  considering  complexity,  weight,  and  ease 
of  checkout. 


(36) 

(37) 


237 


6 

failure  Rate  x 10 

50% 

Rated 

Output 

1.27 
1.27 
1.27 
0.  70 

0. 70 

1.  74 
0.50 
0.50 
0.50 
2.00 
0.10 
0.60 

0.28 

i 

11. 43 

100% 

Rated 

Output 

1.90 
1.90 
1.90 
1.00 
1.00 
1.  74 
0.75  1 
0.75 
0.75 
3.00 
0. 10 
0.60 

0.28 

15.67 

i 

Part 

Type 

Resistor 

Resistor 

Resistor 

Transistor 

Transistor 

Capacitor 

Diode 

Diode 

Diode 

Transformer 

Fuse 

Connector 

28  Internal 
Connections 

< 

Part 

Reference 

Designation 

R1 

R2 

R3 

Q1 

Q2 

Cl 

CR1 

CR2 

CR3 

T1 

FI 

P 

Totals 

H- I 
(0 


239 


Figure  11  - Reliability  of  Standby  Redundant  - Two  Channel  Systems 
Mission  Time  t - 1 Year  (8,  760  hours). 


2to 


An?qini;>H 


Channel  Failure  Rate 


References 


Carhart,  R.R.  - Rand  Corporation  (USAF  Con- 
tract) Res.  Mem.  EM-1131. 

2.  Reliability  of  Military  Electronic  Equipment  - 
AGREE  Report , 4 June  1957*  Report  by  Task 
Group  1,  Appendix  B. 

3.  Price,  H.  Walter  - Reliability  of  Parallel 
Electronic  Components ; IRE  Transactions 
on  Reliability  and  Quality  Control,  April 

i960. 


h.  Balaban,  Harold  S.  - Some  Effects  of  Redun- 
dancy  on  System  Reliability.  Proceedings 
of  the  Sixth  National  Symposium  on  Reli- 
ability and  Quality  Control,  January  i960. 


Acknowle  dgement 

The  authors  wish  to  acknowledge  the  assist- 
ance of  Nicholas  Geluso  of  Grumman  Aircraft  En- 
gineering Corporation  for  his  many  helpful  sug- 
gestions in  the  preparation  of  this  paper. 


2kl 


• 

4 *iM  j 

- 'si  11  L*1!  » r • 

GRAPHIC  SOLUTION  OF  RELIABILITY  LOGIC  EQUATIONS 


William  E.  Marshall 
Senior  Reliability  Engineer 
Minneapolis -Honeywell  Ordnance  Division 
Hopkins*  Minnesota 

17^y 


Reliability  logic  equations  can  in  some  in- 
stances become  extremely  complex  because  of  un- 
avoidable duplication*  triplication,  sequential 
events*  interactions*  interdependencies*  etc. 

In  these  instances*  if  reliability  logic  equations 
are  not  used*  the  results  of  reliability  predic- 
tion can  be  deceivingly  inaccurate*  This  paper 
presents  a simple,  accurate  procedure  for  graphic 
solution  of  reliability  logic  equations,  A 3- 
phase*  solid-state  inverter  with  a failure  de- 
tecting and  switching  circuit  and  a standby-re- 
dundant, single -phase  invert er  is  used  as  an 
example  of  how  to  solve  reliability  logic  eq- 
uations graphically* 

Reliability  Logic  - Mathematical  Relationships* 

To  examine  reliability  logic  relationships 
as  they  are  discussed  in  this  paper*  consider  a 
system  comprised  of  a single  Black  Box,  ”A^. 
Logically*  one  could  say  that: 

The  system  would  fail 
if 

Black  Box  "A"  fails 

In  most  systems*  the  reliability  logic  ex- 
pression can  be  simplified  to  the  above  form* 
There  are*  however*  redundant  systems  which  can- 
not be  thus  simplified.  Because  certain  defects 
in  one  redundant  channel  can  cause  system  failure 
If  these  defects  are  accompanied  by  certain  other 
defects  in  another  redundant  channel,  in  these 
instances  duplication  will  arise  in  the  reliab- 
ility logic  expression. 

Suppose  this  system  had  several  black  boxes 
and  that  in  its  simplist  form*  the  reliability 
logic  expression  included  Black  Box  irArr  three 
times*  If  one  were  to  analyse  the  effect  of 
Black  Box  ,rAu  only*  upon  the  system  he  would 
generate  either  reliability  logic  expression: 

The  system  would  fail 
if 

Black  Box  "A”  fails 
AND  if 

Black  Box  11 A 11  fails 
AND  if 

Black  Box  MA"  fails 
or  reliability  logic  expression: 

The  system  would  fail 
If 

Black  Box  f*Ari  fails 
OR  if 

Black  Box  "A"  fails 
OR  if 

Black  Box  "A"  fails 


At  first  glance*  the  above  logic  statements 
appear  to  be  rather  ridiculously  obvious  ; how- 
ever* this  type  of  duplication  is  neither  ridi- 
culous nor  obvious  when  it  Is  in  ter- woven  within 
a complex  set  of  relationships*  inter-relation- 
ships* interdependencies*  and  ma ny  black  boxes. 

In  the  simplified  reliability  logic  expression  in 
one  project*  two  functions  appear  three  times 
each,  and  six  functions  appear  twice.  That 
particular  expression  cannot  be  further  simpli- 
fied; hence*  duplication  Is  unavoidable,  and 
must  be  properly  accounted  for. 

There  are  two  methods  for  predicting  the 
failure  probability  when  duplication  arises. 

First,  one  can  assume  that  no  duplication  exists 
(i*e.*  that  logic  statements  (2)  and  (3)  each  in- 
volve three  separate,  non-related  black  boxes) 
and  set  up  the  for  mala  for  the  failure  probabil- 
ity accordingly.  Second*  one  can  set  up  and 
solve  the  reliability  logic  equation  to  derive 
the  formula  for  the  failure  probability.  Al- 
though the  first  method  is  incorrect*  it  Is  often 
used  as  an  approximation* 

Mathematically,  logic  statements  (1),  (2)* 
and  (3)  will  give  3 different  failure  probabili- 
ties If  duplication  is  disregarded  as  explained 
above  in  the  first  method.  This  disregard  for 
duplication  can  be  expressed  as  follows:  Single 

function  A Is  assumed  to  be  three  separate  black 
boxes.  For  illustration,  they  can  be  shown  as 
A i , A2,  and  ky  Failure  of  these  black  boxes  Is 
represented  thus:  A^*  and  A^. 

P(AO  - probability  of  failure  of  Black  Box  r,Axir 
1 x 

F(A|)  * probability  of  failure  of  Black  Box  "A2" 
?(k9)  m probability  of  failure  of  Black  Box  "Ay1 

3 

If  Q ■ system^  probability  of  failure 
then: 

computed  from  logic  statement  (l) 

Q - P(A')  (it) 

(2) 

and: 

computed  from  logic  statement  (2) 

Q - P(A<)  P(A')  P(A<)  - [P(A*)J  3 (5) 

and: 

(3)  computed  from  logic  statement  (3) 


Q = P(A{)  + P(Ag)  + P(*3>  - P(A{)  P(aJ)  - 

P(Ag)  P(A^)  - P(A^)  P(A{)  + P(A{)  P(A|)  P(Ap 
(see  reference  1) 

= 3P(A«)  -[3  P(A')]2  + [p(A*  )j  3~3P(A' ) (6) 

Although  all  three  logic  suauements  are 
correct ^ the  failure  probabilities  confuted  in 
the  above  manner,  which  disregards  duplication  of 
events,  are  different.  In  this  example,  the 
reason  for  the  differences  between  equations  (h) , 
(5),  and  (6)  and  the  magnitude  of  the  differences 
are  easily  seen;  however,  in  more  complex  systems, 
the  reasons  and  magnitudes  become  obscure. 

Logic  statements  (l),  (2),  and  (3)  can  be 
re -analyzed  using  logic  algebra  (see  reference  2) 
with  the  following  results: 


Based  upon  logic  statement  ( l) 

Q s P(A’)  (7) 

Based  upon  logic  statement  (2) 

Q * P(A*  and  A*  and  A1)  * P(A*)  (8) 

Based  upon  logic  statement  (3) 

Q - P(A*  or  A or  A1)  * P(A')  (9) 


The  results  of  these  two  approaches  can  be 
summarized  thus: 


LOGIC 

STATEMENT 

NUMBER 

FAILURE 

PROBABILITY 

DISREGARDING 

DUPLICATION 

USING  LOGIC 
EQUATIONS 

EQUATION 

NUMBER 

VALUE 

EQUATION 

NUMBER 

VALUE 

1 

it 

P(A') 

7 

P(A') 

2 

5 

[P(A')]3 

8 

P(A') 

3 

6 

~3P(A') 

9 

P(A') 

The  above  reliability  logic  equations  are 
easy  to  solve.  In  complex  systems,  the  solution 
of  reliability  logic  equations  is  often  difficult 
or  at  the  least,  very  tedious  and  painstaking. 

A simple  method  is  very  desirable. 

Example 

The  need  for  duplication  in  reliability 
logic  equations,  the  inaccuracy  of  disregarding 
this  duplication,  and  the  method  of  solving 
reliability  logic  equations  graphically,  can  be 
best  illustrated  by  using  a particular  example. 

3-Phase  Solid  State  Inverter. 

Consider  a 3-phase,  solid-state  inverter, 
with  a failure  detection  and  switching  circuit, 
and  a standby-redundant,  single-phase  inverter. 

A block  diagram  of  this  system  is  shown  in  Figure 
1;  however,  the  circuitry  is  beyond  the  scope  of 
this  paper.  This  is  neither  a randomly  selected 
everyday  example  nor  is  it  a hypothetical  or 


FIGURE  1 - BLOCK  DIAGRAM  OF  3 -PHASE,  SOLID-STATE  INVERTER  WITH  ONE  REDUNDANT,  SINGLE-PHASE  INVERTER 


- RELIABILITY  LOGIC  DIAGRAM  FOR  3 -PHASE,  SOLID-STATE  INVERTER 


fic tic 0113  example.  An  actual  system  was  select- 
ed, then  modified  and  simplified  so  as  to  best 
illustrate  graphical  solution  of  reliability 
logic  equations.  The  logic  statement  for  system 
failure  is:  the  system  will  fail  if  one  of  the 

primary,  single-phase  inverters  "A",  MB%  or  nC*r 
fail,  and  if  either  the  failure  detector  and 
switching  circuit  i[En  fails  or  the  redundant, 
single-phase  inverter  NDrr  fails,  or  if  more  than 
one  of  the  primary,  single-phase  inverters  fails. 

The  above  logic  statement,  although  correct, 
is  both  confusing  and  inadequate  for  setting  up 
reliability  logic  equations;  therefore,  a com- 
plete logic  statement  in  block  diagram  form  is 
shown  in  Figure  2#  These  reliability  logic 
relationships  could  be  correct! y diagrammed  in 
many  different  ways;  however,  Figure  2 is  suf- 
ficient for  this  illustration.  This  diagra- 
matic  technique  is  discussed  further  in  reference 
2,  Although  the  diagram  is  success-oriented  for 
sircplifi cation  and  ease  of  illustration,  it 
could  have  been  failure-oriented  if  desired. 

Above  each  block  in  the  diagram,  the  mean-time- 
be tween-failures,  the  reliability,  and  the  failure 
probability  of  the  subsystem  represented  by  that 
block  are  shown. 

Figure  3 shows  the  basic  way  in  which 
series  - parallel  failure  probabilities  combine 
to  produce  system  failure  probabilities.  The 
failure  probability  of  the  combination  of  Black 
Box  ”Arr  and  Black  Box  11 B11  logically  in  parallel  is 


DISREGARDING  TRIPLICATION  OF  EVENTS  A»,  B',  C«,  AND  D>, 

Qa=  (p(A')  +P(B»)  + P(C»)j  ([P(A')  + P(B')  + P(D»)]  [p(A')  + P(D')  + P(C')]  [p(D')  +P(B')  + P(C')]  + P(E'| 

« .00069 

USING  LOGIC  EQUATIONS  WHICH  TAKE  INTO  ACCOUNT  TRIPLICATION: 

Q ■ p[(A*  or  B1  or  C)  and  ((A*  or  B*  or  D*)  and  (A1  or  D'  or  C1)  and  (D'  or  B'  or  C*)]  or  E1] 

“ ,00li8  by  graphic  solution  (See  Figure  5) 


FIGURE  U - INVERTER  FAILURE  PROBABILITY 


jDtI 


cr 

C 

B 

D 

Q = P(A')P(B')  + P(C»)P(D»)  - P(A')P(B,)P(C,)P(D'} 
FIGURE  3 - SERIES-PARALLEL  FAILURE  PROBABILITY 


QAB  PARALLEL  " P(A')  P(B’) 

and  the  failure  probability  of  the  combination  of 
Black  Box  "C"  and  Black  Box  "D"  logically  in 
parallel  is 

QCD  PARALLEL  “ P(c')  P(D') 

therefore,  the  failure  probability  of  these  two 
combinations  logically  in  series  is 

QSERIES  COMBINATIONS  ■ QaB  PARALLEL  + QCD  PARALLEL 

-QAB  PARALLEL  ^CD  PARALLEL 

- P(A')P(B‘)  + P{C')P(D')  - P(A')P(B*)P(C')P(D>} 
«P(A')P(B')  + P(C')P(D') 


2k6 


Omitting  the  higher  order  term, 

- P(AT ) P(B')  F{C*)  P(D») 

will  not  inject  error  of  serious  consequences \ 
hence , 

Q = P(Af } P(B’)  + P(C»)  P(B’) 

Higher  order  terms  of  this  type  are  intentionally 
omitted  from  the  calculations  in  Figure  iu 

The  above  principles  for  combining  probabil- 
ities are  used  to  analyze  the  3-phase ? solid-state 
inverter  as  shown  in  Figure  It  will  be  noted 
that  events  A,  B,  G,  and  D each  are  shown  three 
times  in  this  diagram  (as  well  as  in  Figure  2,) 

The  calculations  shown  in  Figure  H assume  that 
each  box  in  the  figure  is  totally  non-re  la  ted, 
and  by  this  method  it  appears  that  the  failure 
probability  is  *0006$?  instead  of  its  true  *00^8 
(to  be  discussed  later.) 

Figure  4 also  Shows  the  following  logic  equa- 
tion for  the  system  failure  probability: 

Q - p[(A*  or  B'  or  C')  and  ( (A*  or  B'  or  D')  and 

(A1  or  D'  or  C*)  and  (D1  or  B'  or  C')j  or  E'j 

Using  several  sheets  of  paper  and  a few  hours' 
time,  one  can  reduce  this  equation  to  the  exact 
form: 

Q - P(A)P(B)P(E)P(C')P(E')  + P(A)P(B)P(C')P(E')  + 
P(A)P(C)P(E)P(B’)P(D’)  + P(A)P(C)F(B')P(J5<)  + 
P(A)P{B»)P(C>)  + P(B)P(C)P(E)P(A')P(D')  + 
P(B)P(C)P(A'  )P(E 1 ) + P(B}P(A')P(C)  + P(A')P(B') 

= .0014,815 

or  the  following  approximate  form; 

Q = P(C')P(D')  + P(C')PCE')  + P{B')P(D’)  + 

P(B*  )P(E 1 ) + F{B')P(C')  + P(A')P(D')  + P(A'  )P(E ' ) 

+ P( A 1 )P(C' ) + P(A')P(B')  - .005,002 

Where  A represents  success  of  Black  Box  flA”  and 
A*  represents  failure  of  Black  Box  "A". 

Graphic  Solution*  Rather  than  using  several 
sheetsT  of  paper  and  a few  hours  time,  one  can 
solve  this  same  reliability  logic  equation  in.  sev- 
eral minutes  with  one  sheet  of  paper  (Figure  5), 
and  a calculator* 

Basically,  this  diagram  traces  all  possible 
combinations  of  subsystem  performances  of  a hypo- 
thetical population  of  1,000,000  inverters. 

The  first  item  which  the  logic  in  the  dia- 
gram considers  is  how  single -phase  inverter  rfA" 
operates.  Since  *973  is  its  reliability,  single- 


phase inverter  "A11  will  operate  successfully  in 
£73,000  of  the  original  million  inverters*  This 
is  represented  by  the  number  973,000  above  the 
horizontal  line  at  the  right  of  block:  "Event  A 
occurs  *lf  Of  the  1,000,000  inverters,  27,000  will 
have  single-phase  inverters  "AH  which  fail  to  op- 
erate successfully.  This  is  represented  by  the 
number  27,000  on  the  vertical  line  below  the 
block:  "Event  Ap  occurs."  Of  the  973,000  inver- 

ters in  which  single -phase  inverter  "A11  operates 
successfully,  the  next  logical  step  is  to  examine 
the  performance  of  single -phase  inverters  T,B1T  and 
"Cu  and  if  necessary  "Dn  and  switching  circuit 
1rE".  If  one  traces  each  individual  combination 
of  sub -events  in  this  diagram,  he  will  find  that 
no  combination  contains  a sub -event  more  than 
once.  This  is  an  especially  important  check 
which  can  and  should  be  made  on  a complex  diagram* 

Of  the  initial  1,000,00 0 inverters  973,000 
will  have  successful  phases  "A1^  9^6,729  will 
have  successful  phases  "A"  and  "B" ; and  921,16? 
will  have  successful  phases  "A",  flBn,  and  "C", 

Of  the  original  1,000,000  inverters,  27,000  will 
have  failures  in  phase  "A"  and  ?29  will  have 
failures  in  phases  ,fAn  and  "B". 

These  two  combinations  illustrate  graphical 
solution  of  one  success  logic  relationship  and 
one  failure  logic  relationship.  Figure  5 shows  a 
total  of  four  success  and  nine  failure  logic  rel- 
ationships - each  relationship  different  from  all 
others . 

These  relationships  of  subsystem  performan- 
ces which  result  in  system  success  (listed  from 
top  to  bottom)  are: 


A and  B and  C 

A and  B and  G'  and  E and  D 
A and  B*  and  C and  E and  D 
V and  B and  G and  E and  D 


and  the  relationships  of  subsystem  performances 
which  result  in  system  failure  (listed  from  left 
to  right)  are: 

A1  and  B1 
A and  B 1 and  CT 
A1  and  B and  C1 
A and  Br  and  G and  El 
A and  B and  G1  and  E* 

A 1 and  B and  C and  E * 

A and  B*  and  C and  E and  D* 

A and  B and  C1  and  E and  Df 
A1  and  B and  G and  E and  D1 


Disregarding  duplication  will  not  always 
give  falsely  optomistic  results.  In  a success- 
oriented  diagram,  if  duplicate  blocks  appear  log- 
ically in  series  and  if  this  duplication  is  dis- 
regarded, the  results  will  be  falsely  pessimistic* 
If  duplicate  blocks  appear  logically  in  parallel, 
and  if  this  duplication  is  disregarded,  the  re- 


248 


suits  will  be  falsely  optomistic. 


References! 


It  is  important  to  re-emphasize  the  effect  of 
disregarding  the  logic  relationship  approach.  In 
this  example , the  true  failure  probability  comput- 
ed by  using  the  logic  approach  in  Figure  E>  is 
,0048;  .00069  appears  to  be  the  failure  probabil- 
ity if  logic  relationships  are  disregarded  as  in 
Figure  1*. 

Conclusions 

In  some  instances,  reliability  logic  rela- 
tionships include  unavoidable  duplication.  If 
this  duplication  is  disregarded,  reliability  or 
failure  probability  calculations  will  be  in  error. 
This  duplication  can  be  properly  accounted  for  by 
using  logic  equations.  Graphical  solution  of  re- 
liability logic  equations  is  simple,  accurate, 
and  time  saving. 


1.  Lindgren,  B.  W.  and  Me  Elrath,  G.W. , 
Introduction  to  Probability  and  Statis- 
tics, 1959,  pages  17  and  21. 


2.  Boole,  G.  An  Investigation  of  the  Laws  of 
Thought,  Cork7  Ireland,  iB'sU. 

3.  Holtzman,  C.  Weldon,  Jr.,  and  Marshall, 
William  E,,  "A  New  Method  of  Communica- 
tion Between  Engineer  and  Mathematician 
Aids  System  Reliability  Prediction",  Pro- 
ceedings of  Sixth  National  Symposium  on 
Reliability  and  Quality  Control  in  Elec- 
tronics, Washington,  d7  C. , January  I960, 
pages  403-408. 


249 


MTBF  APPO  RTIONMENT 

IN  RELIABILITY  CONTROL  OF  THE  MAULER  DESIGN 


Leonard  R.  Doyon 
Raytheon  Company 
Way land,  Mass. 


One  of  the  more  important  tasks  for  the  re- 
liability engineer  is  translating  a reliability 
system  specification  requirement  into  subassembly 
design  requirements  that  have  meaning  for  the  de- 
sign engineer.  But  the  performance  of  this  task 
alone  does  not  ensure  that  the  reliability  design 
requirements  will  be  met,  particularly  'when  the 
state-of-the-art  is  being  taxed  to  its  limit* 

The  task  of  translating  reliability  system  re- 
quirements into  subassembly  requirements,  called 
trMTBF  Apportionment, Tl  must  be  complemented  by 
firm  management  reliability  policies  and  effec- 
tive control  procedures. 

This  paper  describes  the  technique  used  by 
reliability  engineers  in  apportioning  the  MAULER 
Acquisition  and  Track/llluminator  radar-subsys- 
tems MTBF  (mean -time -be tween -failure)  design  re- 
quirements down  four  levels  to  the  subassemblies. 
This  paper  reveals  how  the  MTBF  apportioned  val- 
ues, when  made  specific  design  requirements  en- 
forced by  MAULER  Systems  management  policies  and 
key  reliability  procedures,  evolved  into  an  ef- 
fective tool  for  controlling  the  reliability  of 
the  MAULER  radar  subsystems  design  presently  in 
its  initial  R&D  phase  at  Raytheon  Company. 

For  security  reasons,  certain  design  fea- 
tures, reliability  Indices,  and  the  actual  break- 
down and  numerical  values  in  the  MTBF  apportion- 
ment cannot  be  disclosed. 


electronic  subsystem  or  system,  is  expected  to 
design  to  meet  reliability  requirements  specified 
quantitatively  in  terms  of  the  system  MTBF,  mis- 
sion-success probability,  or  often  loosely  de- 
fined as  “...for  achieving  optimum  system  reli- 
ability/1 If  the  reliability  requirements  are 
specified  quantitatively  in  terms  of  MTBF,  he  is 
expected  somehow  to  find  a way  in  harmony  with 
the  other  hundred  or  more  design  engineers  to 
meet  the  single  system  reliability  design  objec- 
tive. Sharing  of  the  reliability  design  load  is 
not  considered  since  it  cannot  be  even  identified 
much  less  defined  by  the  design  engineers.  To 
say  the  least,  the  efforts  in  terras  of  meeting 
the  system  MTBF  requirements  are  haphazard. 

It  remains  the  task  of  the  reliability  en- 
gineer, disciplined  and  trained  in  the  terminol- 
ogy and  methods  of  reliability  mathematics  and 
engineering,  to  translate  and  apportion  equitably 
the  system  MTBF  quantitative  contractual  require- 
ments into  subassembly  quantitative  requirements 
meaningful  to  and  within  the  scope  of  responsi- 
bility of  the  individual  design  engineer.  Once 
the  reliability  design  requirements  are  defined 
and  established  for  each  subassembly  by  the  re- 
liability engineer,  meeting  the  apportioned  MTBF 
requirements  for  each  subassembly,  and  the  con- 
tractual MTBF  requirement  for  the  system,  becomes 
a team  effort  by  design,  system,  and  reliability 
engineers. 


Introduction 

Most  reliability  specifications  and  docu- 
ments in  existence  today  are  in  agreement  that 
reliability  must  be  designed  into  an  equipment, 
and  that  " designing-  for  reliability^"  must've  a 
part  of  the  earliest  concept  of  system  design. 
The  design  engineer  is  told  that  this  is  his  re- 
sponsibility, and  that  he  must  "design  for  reli- 
ability first,  max  imum  p er f o rmanc  e s econd . " 1 To 
assist  him  in  his  task,  numerous  reliability 
handbooks  for  design  engineers  have  been  pub- 
lished during  the  past  few  years.  These  hand- 
books contain  several  hundred  pages  of  "helpful 
hints,1’  failure-rate  tables,  derating  curves, 
nomographs  and  pictographs,  stochastic  variable 
concepts  and  mathematical -probability  symbols, 
Weibull  distribution  functions,  and  at  least  two 
Tt improvements"  of  Tshebysheff  Ts  inequality  theo- 
rem. With  all  these  "useful"  tools  at  his  dis- 
posal, the  design  engineer,  who  is  usually  re- 
sponsible for  only  one  or  two  subassemblies  out 
of  the  several  hundred  that  make  up  the  complex 


However,  for  the  MAULER  Reliability  Program 
the  reliability  engineer's  task  does  not  end 
here.  In  terms  of  MTBF  quantitative  values,  the 
reliability  contractual  requirements  for  the  MAU- 
LER radar  subsystems,  because  of  the  severe  en- 
vironmental conditions  expected,  represent  a need 
for  advancing  the  radar  reliability-design  state- 
of-the-art  by  a factor  of  at  least  two.  A very 
difficult  technical  enterprise  remains.  Conse- 
quently, throughout  the  life  of  the  MAULER  design 
program.  In  addition  to  providing  technical  sup- 
port, the  reliability  engineer  must  continually 
monitor  the  reliability  progress  of  the  MAULER 
design.  He  must  do  this  without  usurping  the 
traditional  prerogatives  of  the  system  and  design 
engineers.  This  he  does  through  the  policies  and 
procedures  developed  and  established  mutually  for 
the  Program  by  the  MAULER  Systems  Organization 
and  the  Reliability  Section. 


25± 


frTTBF  Apportionment' 

What  it  is  and  What  it  Does 


Where  quantitative  reliability  indices  are 
specified  in  a contract , the  practice  of  appor- 
tioning MTBF  values  {or  failure -rates)  for  divid- 
ing the  load  in  meeting  reliability  contractual 
requirements  of  electronic  systems  is  not  new, 

It  has  been  implemented  extensively  by  the  custo- 
mer j usually  the  military  agencies , and  the  prime 
contractors  alike  in  parcelling  out  reliability 
requirements  to  several  contractors  or  subcontrac- 
tors,^ It  has  been  used  by  subcontractors  as  a 
means  of  controlling  within  their  own  internal  or- 
ganization the  allocation  or  division  of  the  reli- 
ability design  load.  In  essence.  It  is  literally 
"cutting  up  the  pie"  of  reliability  contractual 
requirements  when  no  matter  how  the  pie  is  cut, 
the  whole  must  equal  the  sum  of  all  its  pieces* 


Of  course,  the  objective  of  any  apportion- 
ment is  equity.  An  equitable  apportionment  is 
one  where  the  design  ease  or  difficulty  in  meeting 
the  apportioned  MTBF  is  properly  distributed  for 
all  the  subsystems  or  units  concerned*  Conversely, 
an  inequitable  apportionment  defeats  the  intended 
purpose,  causing  an  unbalance  among  subsystem  or 
unit  requirements,  resulting  in  the  disproportion- 
ate added  weight,  volume,  cost  and  design  time  for 
certain  affected  subsystems  or  units. 


Apportionment  by  Tt Active -Element -Group" 


Of  these  three  categories,  the  "Active -Ele- 
ment -Group"  or  "AEG"  method  has  been  the  most 
useful  and  applicable  to  the  MAULER  radar  design 
effort  at  Raytheon,  and  is  the  method  discussed 
in  detail  in  subsequent  paragraphs.  The  method 
is  b a seer  on  an  approximate  count  of  tubes  and 
transistors  (active -element)  in  the  subsystems 
and  assemblies,  assuming  a given  number  and  types 
of  supporting  passive -elements,  and  modifying  the 
results  with  weighting  factors  extrapolated  from 
known  field  performance  of  similar  equipments* 

The  usefulness  of  the  "AEG"  method  is  its  appli- 
cability at  the  most  critical  time  of  the  design 
cycle  — during  the  early  design  concepts. 

Apportionment  by  "Parts -Count" 

The  familiar  "parts -count"  technique  widely 
used  in  reliability  prediction  work  was  adopted 
during  the  latter  period  of  the  MAULER  engineer- 
ing model  phase,  when  the  component  parts  list 
and  design  parameters  were  known  with  a reason- 
able degree  of  accuracy,  merely  to  refine  the 
MTBF  apportionment  made  earlier  by  the  "AEG" 
method* 


Apportioning  the  MTBF 
for  the  MAULER  Radars 


The  methods  and  degree  of  scientific  ap- 
proaches used  for  apportioning  MTBFs  have  ranged 
widely  from  complicated  but  sophisticated  weight- 
ing techniques^  to  "educated  guesses,"  The  meth- 
ods based  on  "hunches"  or  "guesses"  are  of  little 
interest.  For  our  purposes,  the  only  methods  of 
concern  are  those  in  which  some  degree  of  scien- 
tific approach  is  used.  These  methods,  all  of 
which  are  basically  measures  of  the  comparative 
degree  of  complexity  of  systems  or  equipments, 
can  be  broadly  divided  into  the  three  main  cate- 
gories described  below: 

Apportionments  by  "Weighting  Factors" 

This  method  is  found  most  effective  for  ap- 
portioning the  necessary  MTBF  of  a large  complex 
system  composed  of  heterogeneous  subsystems  such 
as  a radar,  a computer,  and  a missile  subsystem. 
Based  on  analytical  studies,  advance  knowledge  or 
past  experience,  the  apportionment  must  be  made 
with  reasonable  equity  involving  trade-offs  or 
weighting  between  subsystems  such  factors  as  modes 
of  operation,  state-of-the-art,  and  readiness  re- 
quirements* Since  the  MAULER  radars  (See  Figure 
1)  have  the  contractual  MTBF  requirements  speci- 
fied by  the  prime  contractor,  this  method  Is  not 
germane  to  the  radars*  Consequently,  a detailed 
discussion  of  this  method  would  be  beyond  the 
scope  of  this  paper.  The  interested  reader  is 
advised  to  consult  the  reference  noted. 


The  Reliability  Block  Diagram  and  Mathematical 
Model 

The  first  step  in  apportioning  the  MTBF  of 
an  electronic  equipment  subsystem  is  to  analyze 
the  tactical  function  and  modes  of  operation  of 
the  subsystem  and  of  each  unit  within  the  subsys- 
tem, The  next  step  is  to  determine  for  each  mode 
of  operation  the  reliability- dependency  of  each 
unit  within  the  system.  Any  unit  whose  function 
and  satisfactory  operation  are  vital  to  the  tac- 
tical mission  of  the  entire  subsystem  is  consid- 
ered to  be  reliability -depen dent  and  is  repre- 
sented simply  as  one  block  in  a series  chain  of 
similarly  reliability-dependent  units  as  shown 
below: 


2^2 


Mathematic  ally , the  total  reliability  Rp  of  the 
subsystem,  where  failures  from  Unit  to  Unit  are 
independent,  is  expressed  simply  by  the  well-known 
formula: 

n - k 

rt  “ TT  rA-  (1) 

t = I 

where,  for  the  example  given,  R^  is  the  reliabil- 
ity of  the  two  redundant  units  A and  B;  namely: 

r3  = I - (i-Ra)  0-rb)  (2) 


The  Acq  Radar  Model*  For  the  purposes  of 
this  paper,  only  one  principal  mode  of  operation 
for  the  Acq.  radar  need  be  analyzed;  namely,  the 
active-search  mode,  assuming  three  elevation  chan- 
nels and  no  computation  evaluation  as  represented 
by  the  solid  blocks  in  the  reliability  model  shown 
in  Figure  2.  Let  us  further  assume  that  to  sat- 
isfy a particular  situation,  only  two  out  of  the 
three  elevation  channels  heed  to  operate  satisfac- 
torily. The  reliability  mathematical  model  for 
the  Acq.  is  then  properly  expressed  as: 


n-6 

r b /3. 

- 

X 

* 

3-x1 

rt  = TT 

RV,  ^ 

R7  R0C 

i_R7  rDC 

n.=  l 

[X=2 

. . 

By  assuming  that  failure  occurrences  for  each  unit 
in  the  subsystem  are  exponentially  distributed, 
namely: 


R = 


-Xt 

■■e 


or  <e 


(3) 

where  X = failure  rate 


and  m = MTBF 


where  the  expression  in  the  brackets  is  the  reli- 
ability that  at  least  two  out  of  three  elevation 
channels  are  operating  satisfactorily  and  Rj^  is 
the  reliability  of  a Bata  Converter  Unit 
where : 

RDC  « RVC  Rrb  (T) 


except  for  the  redundant  units  A and  B,  the  fail- 
ure rates  of  all  other  units  are  additives: 


XT  less  X3  - Xj  + X2  + X^  + ...  + Hi 


to 


Experience  has  shown  that  failure  occurrences  for 
electronic  equipment  often  exhibit  the  Weibull 
failure  distribution: 


R(t)  = « 


~i  t-Y)^ 
cT~~ 


where: 


(5) 


a = scale  parameter 
fi  - shape  parameter 
Y = location  parameter 

However,  for  large  complex  subsystems,  the  error 
introduced  by  assuming  fi  = 1,  giving  equation  (3) 
above,  is  negligible  for  the  purpose  of  failure 
rate  (or  MTBF)  apportionment.  It  is  this  assumed 
additive  property  of  failure  rates  that  makes  pos- 
sible simple  arithmetic  calculations  that  can  he 
easily  explained  to  design  engineers.  To  make  the 
apportionment  task  a working  tool,  simplicity  in 
calculation  is  more  important  than  unnecessary 
mathematical  precision.  In  the  case  of  multiple 
redundant  units  or  assemblies,  especially  where 
the  units  are  neither  functionally  identical  nor 
essential  to  certain  modes  of  radar  operation  thus 
introducing  a form  of  "quasi -redundancy, 11  the  MTBF 
apportionment  calculations  do  not  lend  themselves 
to  the  simple  arithmetic  techniques  such  as  in  the 
case  of  series -dependency  where  exponential  fail- 
ure distribution  can  be  as sumed.  Fortunately, 
however,  in  most  practical  cases,  as  illustrated 
in  subsequent  paragraphs,  the  reliability  block 
diagram  and  mathematical  model  can  be  greatly 
simplified  by  an  engineering  analysis  of  the  unit 
functions  and  type  of  circuitry  involved. 


and  RyC  and  R^g  are  the  reliabilities  of  the  bank 

of  m velocity  channels  and  the  bank  of  u range 
bins  respectively.  But, 

Rvc=  2 . QCc -vmrV  ■:  (8) 

where  Ryc  is  the  reliability  of  a single  velocity 

channel  and  k is  the  number  of  velocity  channels 
that  can  fail  without  causing  degradation  of  the 
target  data.  Similarly: 


,!q  - mi*1 


where  is  the  reliability  of  a single  range 
bin  and  k is  the  number  of  range  bins  that  can 
fail  without  causing  degradation  of  target  data. 

By  means  of  a little  reliability  engineering 
analysis  of  the  subassembly  functions  and  type  of 
circuits  for  velocity  channels  and  range  bins, 
and  assuming  conservatively  that  k velocity 
channels  and/or  k range  bins  can  fail  before 
causing  mission  abortion,  for  a pessimistic  esti- 
mate that  each  channel  and  bin  have  a failure 
rate  of  2%  per  1000  hours,  calculations  show 
that  for  the  required  mission  of  the  MAULER  sys- 
tem: 


Roc  > 0.99999 


(10) 


253 


Thus,  assuming  that  for  the  mission  Rjjq  is  prac- 
tically unity , equation  (6)  reduces  simply  to; 

n * 6 

Ry  ^ H Rq  Ry  (3  - 2Ry)  {^--^) 

A>  - I 

an  equation  that  can  he  handled  easily  for  pur- 
poses of  MW  apportionment. 

The  preceding  paragraphs  have  illustrated  an 
earlier  statement  that  with  some  engineering 
knowledge  of  the  unit  or  assembly  functions,  of 
the  circuits  involved,  the  required  mission  time* 
and  some  appreciation  of  the  approximate  failure 
rates,  most  reliability  mathematical  models  can 
be  greatly  simplified.  This  is  a must  for  per- 
forming MTBF  apportionment, 

T/l  Radar  Reliability  Model-  With  the  excep- 
tion of  the  Cooling  Unit  which  must  he  shared  by 
both  radars,  the  Track/ Illuminator  radar  units  and 
circuitry  are  completely  independent  of  the  Acq 
radar  (See  Figure  3}«  Except  in  the  Cooling  Unit, 
a malfunction  in  one  radar  will  not  affect  the 
other  radar. 

The  reliability  model  for  the  T/l  radar  is 
straightforward  with  the  exception  of  the  four 
Speed  Gate -Logic -Coherent  Sweep  subassemblies 
which  provide  some  degree  of  quasi -redundancy.  It 
is  not  true  redundancy  in  that  a single  speed  gate 
can  he  used  at  any  one  time  for  a given  target, 
but  each  h i gh -and -low- speed  gate  for  an  approach- 
ing target  is  complemented  by  high  and  low  speed 
gates  for  receding  targets  that  have  passed  over- 
head. One  might  say  that  a second  chance  or  shot 
is  thereby  provided,  but  this  is  not  quite  correct 
inasmuch  as  it  may  mean  getting  a second  shot  aft- 
er the  target  has  accomplished  its  mission* 
Nevertheless,  this  slight  advantage  in  qua si -re- 
dundancy is  taken  into  account  for  MTBF  apportion- 
ment purposes. 

Measuring  the  Complexity  of  Each  Unit 

By  this  time,  the  reader  has  noted  a count 
of  AEG's  ("Active -Element -Groups11)  Indicated  for 
each  block  in  the  reliability  model  of  Figures  2, 
and  3.  An  AEG  consists  of  a tube  or  transistor, 
or  its  equivalent  active -element,  and  its  esti- 
mated number  of  related  supporting  passive-ele- 
ments* During  the  early  design  concepts,  the 
method  of  assessing  the  relative  complexities  of 
different  units  or  assemblies  in  a subsystem  by 
estimating  the  count  of  AEGrs  in  each  unit  or  as- 
sembly, based  on  whatever  engineering  information 
there  is  on  hand  or  on  comparable  existing  equip- 
ment, provides  a simple  and  effective  base  measure 
for  apportioning  or  parcelling  the  subsystem  MTBF 
requirements  down  to  the  subassembly  level  in 
quantitative  terms  that  are  meaningful  to  the  de- 
sign engineer. 

The  method  of  estimating  the  number  of  AEGs 
is  not  new,  having  been  developed  some  years  ago 
as  noted  by  an  earlier  reference.  The  difference 
here  is  that  it  is  not  used  for  prediction  pur- 


poses. It  matters  little  what  the  actual  failure 
rates  are.  We  are  merely  seeking  a relative  mea- 
sure of  complexity  between  units  and  assemblies. 
For  each  unit  or  assembly  where  a count  of  AEG 
has  been  made  or  estimated,  the  MTBF  apportioned 
Is  simply  an  inverse  porportion  of  the  whole  as 
follows: 

Apportioned  Unit  MTBF - 

Contractual  Subsystems  MTBF 

Total  Number  of  AEGs  for  Subsystem 
Number  of  AEGs  for  Unit  or  Assembly 

An  apportionment  of  the  failure  rate,  of  course, 
would  he  the  reciprocal  if  the  assumption  of  ex- 
ponential distribution  per  equation  (3)  Is  valid. 
The  only  reason  for  apportioning  on  the  basis  of 
MTBFs  rather  than  failure  rates  is  that  the  sub- 
system requirements  are  specified  in  terms  of 
MTBFs,  For  working  purposes,  we  convert  all  MTBF 
values  into  failure  rates. 

Since  the  MAULER  radars  are  made  up  of  many 
types  of  transistorized  analog  and  digital  cir- 
cuits as  well  as  low-power  and  high -power  active 
networks,  initially  it  would  be  very  difficult  to 
select  and  count  multiples  of  a single  "typical" 
AEG  as  representative  of  the  subsystems.  For 
this  reason,  three  sizes  of  the  most  common  AEGs 
were  chosen  as  follows: 


AEGX 

1 transistor 
3 resistors 

2 capacitors 
1 diode 


7 parts 


^2 

1 transistor 
5 resistors 
3 capacitors 
3 diodes 


12  parts 


AK3 

1 transistor 
8 resistors 
5 capacitors 
1 diode 
1 coil 
16  parts 


When  the  three  AEG  counts  were  completed, 
the  three  types  of  AEGs  were  then  reduced  or  nor- 
malized to  a single  "typical"  AEG  (namely,  AEG^) 
by  considering  AEGg  equal  to  1,7  AEG,,  and  A EG^ 
equal  to  2.3  AEGq,  simply  on  the  ratio  of  number 
of  parts-  A moot  point  may  be  argued  here  that 
normalizing  strictly  on  the  basis  of  parts -count 
ignores  the  known  fact  that  transistors,  diodes, 
resistors,  capacitors  and  coils  have  different 
failure  rates.  Had  differences  in  failure  rates 
been  considered,  a greater  accuracy  in  normaliz- 
ing would  have  resulted;  but,  as  proved  later  by 
the  more  accurate  parts-count  method,  no  serious 
inequities  in  the  apportioned  MTBF  were  found 
where  the  estimated  AEG  count  was  accurate  ini- 
tially. 


Special  parts,  such  as  waveguide  elements 
and  power  tubes  were  assi^ied  weighted  "equiva- 
lent AEGs , " For  example,  a klystron  amplifier, 
which  according  to  our  experience  on  other  pro- 
jects have  exhibited  about  eight  times  higher 
failure  rates  than  for  a typical  AEG,  was  counted 
as  "8  equivalent  AEGs , " Furthermore,  100  radar 
AEGs  ordinarily  contain  approximately  50  poten- 
tiometers, 50  crystals,  and  2 pulse  transformers. 


254 


Wherever  this  ratio  of  additional  number  of  parts 
was  estimated  to  be  either  too  high  or  too  low, 
proportional  weighting  was  applied  to  the  AEG 
count.  On  the  whole,  there  were  few  instances 
where  this  proportional  weighting  was  necessary. 

One  extreme  example  of  weighting  for  another 
reason  was  the  digital  computer  circuitry.  As 
proved  by  field  experience,  digital  circuitry  is 
relatively  insensitive  to  parts  parameter  drift  as 
a result  of  aging  or  temperature  stress.  Digital 
circuits  have  field  failure  rates  one-tenth  that 
of  analog  circuits  having  an  equivalent  number  of 
parts.  Consequently,  the  total  number  of  AEGs 
counted  for  the  computer  was  divided  by  ten  for 
the  purpose  of  apportioning  the  MTBF.  Tables  1, 

2,  and  3 summarize  the  AEG  count,  made  during  the 
early  design  concept,  and  the  conventional  parts- 
count  was  made  several  months  later  for  predic- 
tion purposes  and  for  refining  the  earlier  appor- 
tionment. Subsequently,  minor  adjustments  and 
re -apportionments  were  made. 

Breaking  the  Unit- apportioned  MTBF  values  to 
the  Assembly  (or  third)  and  to  the  Subassembly 
(or  fourth)  levels  simply  required  a repetition  of 
what  was  done  at  the  Unit  level.  Apportionments 
at  the  third  and  fourth  levels  are  either  incom- 
plete or  have  to  be  revised  at  this  date  because 
of  recent  major  changes  in  the  design  concept  at 
the  subsystem  level.  Obviously,  any  major  change 
in  the  design  concept  at  a given  level  required 
an  MTBF  re -apportionment  at  all  lower  levels  in 
order  to  keep  the  apportionment  equitable. 

Meeting  the  Apportioned  MTBF  Requirement 
Implementing  Reliability  Control 

Once  the  MTBF  requirements  have  been  defined 
for  each  subassembly,  sound  managerial  policies 
must  be  set  into  motion  and  certain  key  procedures 
must  be  enforced  to  assure  that  the  MTBF  require- 
ments will  be  met.  One  such  procedure  or  document 
is  the  Specific  MAULER  Engineering  Requirements, 
better  known  at  Raytheon  as  "SMERs." 

The  "SMER."  As  represented  pictorially  in 
Figure  4,  the  MAULER  Systems  Organization  analyzes 
the  customer  subsystem  requirements,  and  from 
these  requirements  develops  and  establishes  firm 
design  engineering  requirements  for  units,  assem- 
blies, and  subassemblies  via  a SMER  document.  A 
key  design  parameter  specified  in  the  SMER  is  the 
apportioned  MTBF  value.  Thus,  the  SMER  is  the  ve- 
hicle by  which  the  apportioned  MTBF  value  becomes 
a binding  requirement  for  each  subassembly  as 
much  as  signal- to-noise  ratio,  power  dissipation, 
peak  power,  and  other  radar  design  parameters  to 
be  met  and  proved.  It  then  becomes  the  responsi- 
bility of  the  design  engineer,  consulting  with 
the  reliability  engineer,  to  design  for  meeting 
the  specified  subassembly  MTBF.  The  design  en- 
gineer must  make  all  the  failure- rate  calcula- 
tions for  his  assembly;  the  reliability  engineer 
checks  and  verifies  the  calculations.  The  design 
engineer's  tool  in  this  task  is  the  MAULER  Reli- 


ability Engineering  Manual. 

The  MAULER  Reliability  Engineering  Manual. 
Each  design  engineer  was  issued  a MAULER  Reli- 
ability Manual  during  the  early  design  concept 
period.  The  Manual,  compiled  by  the  Raytheon  Re- 
liability Section  at  Wayland,  contains  complete 
sets  of  stress -derating  curves  and  failure-rate 
tables  from  the  RCA  TR59-4l6-l  report  and  other 
necessary  reliability  information  extracted  from 
the  best  key  documents  originated  by  reliability 
engineers  at  Raytheon  and  the  industry  at  large. 
To  teach  them  how  to  use  this  tool,  periodic  re- 
liability seminars  and  lectures  are  conducted  for 
the  design  engineering  groups  by  the  Reliability 
Section. 

The  Parts  Application  Review.  Daily  contact 
between  the  reliability  and  design  engineers  is 
maintained  through  the  Parts  Application  Review 
Plan  (See  Figure  4)  which  is  a continuing  review 
of  the  circuits  and  parts  application  by  the  re- 
liability engineer.  In  this  manner,  he  is  always 
available  for  consultation  and  is  able  to  monitor 
the  progress  of  the  design.  As  he  notices  design 
discrepancies  or  potential  reliability  or  main- 
tainability deficiencies,  he  calls  them  to  the 
attention  of  the  responsible  design  engineer. 
Whenever  a disagreement  occurs  on  the  method  of 
corrective  action,  or  when  the  action  requires  an 
effort  or  decision  that  is  beyond  the  control  of 
the  interested  reliability  and  design  engineers, 
the  reliability  engineer  initiates  a Reliability 
Corrective  Action  Request  (RCAR)  form. 

The  "RCAR."  The  Reliability  Corrective  Ac- 
tion Request  or  "RCAR”  (See  Figure  4)  is  a Ray- 
theon Equipment  Division-wide  procedure  in  a one- 
page  format  that  has  proved  effective  on  other 
projects  during  the  past  years  in  initiating  and 
bringing  quick  action  on  reliability  problems  un- 
covered by  reliability  engineers.  The  initiator, 
who  is  the  reliability  engineer,  identifies  and 
describes  the  problem  and  recommends  a course  of 
corrective  action  in  the  upper  section  of  the 
RCAR  form.  The  addressee,  the  person  responsible 
for  the  design  of  the  equipment  under  question, 
must  give  a satisfactory  reply  within  a given 
number  of  days.  Failure  to  reply  within  this 
period  means  that  the  matter  will  be  brought  to 
the  attention  of  management. 

Gaining  Acceptance  by  the  Design  Engineer 

Looking  back  in  retrospect  some  two  years 
ago  when  the  concept  of  MTBF  apportionment  was 
first  introduced  to  the  MAULER  design  engineers, 
we  recall  the  many  stumbling  blocks  we  had  to 
overcome  and  the  many  misconceptions  we  had  to 
clarify  to  gain  the  confidence  and  acceptance  of 
the  design  engineers.  To  the  highly-analytical 
mind  of  many  design  engineers,  the  radical  idea 
of  treating  such  intangible  entities  as  MTBFs  or 
failure-rates  — which  are  in  themselves  indices 
of  reliability,  a probability  function  — as  if 
they  were  neatly- measurable  parameters  such  as 
resistance,  voltage,  and  frequency,  was  somewhat 


255 


akin  to  an  unscientific,  pseudo -engineering, 
"Ouija-Board"  approach.  Our  seminars  and  lectures 
in  mathematical  probability  and  statistics  to  de- 
sign engineers,  if  presented  at  a high -technical 
level,  were  often  looked  upon  disdainfully  as  os- 
tentatious displays  of  our  mathematical  prowess; 
if  presented  at  a lower  technical  level,  the  use 
of  visual  aids  such  as  playing  cards  and  dice  to 
illustrate  the  theory  of  chance  in  reliability 
only  strengthened  their  secret  suspicions  that  the 
reliability  engineers  used  a roulette  wheel  in  ap- 
portioning the  subsystem  MTBF.  More  effective 
were  our  reliability  lectures  from  an  engineering 
approach,  particularly  on  a "work- shop”  basis 
where  the  design  engineers  either  actively  parti- 
cipated or  followed  an  actual  reliability  analysis 
and  prediction  of  a given  subassembly.  But  the 
most  effective  of  all  in  gaining  acceptance  has 
been  the  daily  contacts  of  our  reliability  engin- 
eers with  the  design  engineers  where  there  was  a 
free  interchange  of  ideas  in  common  engineering 
language.  Thus,  the  initial  barriers  of  suspicion 
gradually  crumbled. 

A significant  measure  of  the  acceptance 
gained  is  the  fact  that  although  management  poli- 
cies and  procedures  exist  for  resolution  of  con- 
flicts that  may  arise  between  reliability  and  de- 
sign engineers,  during  a two-year  period  — even 
though  the  number  of  conflicts  were  many  — none 
was  serious  enough  to  submit  to  managerial  arbi- 
tration. In  our  opinion,  this  is  a good  record. 

Of  course,  due  credit  for  the  success  must  be  giv- 
en to  the  MAULER  Systems  Reliability  and  Quality 
Control  Manager  and  others  in  the  Systems  Organi- 
zation who  from  the  very  onset  of  the  design  ef- 
fort issued  management  directives  in  support  of 
the  Reliability  Section  line  organization  to  the 
effect  that  the  MTBF  apportioned  values  were  bind- 
ing design  requirements.  This  backing  dispelled 
any  doubts  in  the  design  engineer's  mind  as  to 
whether  the  reliability  requirements  would  be  en- 
forced. 

A Practical  Program  for  a Realizable  Goal 

During  the  preliminary  phase  of  the  MAULER 
Acq  and  T/l  radar  subsystems  design  concepts,  our 
initial  reliability  prediction  indicated  that: 

If  a carefully-planned  program 
for  designing  reliability  into 
the  equipment  were  implemented 
effectively,  an  advancement  in 
radar  reliability-design  state- 
of-the-art  by  an  MTBF  improve- 
ment factor  of  at  least  two 
would  be  necessary  to  meet  the 
reliability  contractual  require- 
ments. 


idity  of  our  premise  that  a planned  control  pro- 
gram for  designing  reliability  into  the  equipment 
would  or  could  be  implemented  effectively.  The 
key  was  the  MTBF  apportionment.  It  defined  not 
only  the  reliability  requirements  quantitatively 
for  each  subassembly,  but  also  parcelled-out  the 
reliability  design  load  to  each  design  engineer. 
The  lock  was  the  SMER  or  Specific  MAULER  Engineer- 
ing Requirements  document.  It  converted  the  MTBF 
apportioned  values  to  binding  design  requirements 
and  thereby  validated  our  initial  premise  that  a 
reliability  design -control  program  was  practical 
and  could  actually  function  if  organized  properly. 

The  MTBF  Apportionment  and  the  SMER,  by 
themselves,  do  not  guarentee  the  attainment  of 
our  reliability  design  goal  — they  only  open  the 
door  and  make  attainment  of  the  goal  possible  by 
other  reliability  engineering  tasks.  Significant 
progress  towards  achieving  the  goal  has  been  made 
to  date.  As  we  enter  the  R&D  design  phase,  the 
R&D  model  reliability-prediction,  which  is  in 
process  and  due  to  be  completed  at  the  end  of 
this  month,  will  measure  this  progress. 


REFERENCES 

1,  Naresky,  J.J.  RADC  Reliability  Notebook, 
PB161894,  RADC -TR- 58 -111,  ASTIA  Document 
No.  AD-148868,  McGraw-Hill  Book  Company, 

New  York,  N.Y.  October  1959,  Section  9, 
p.  6,  par.  5* 

2.  Dertinger,  E.F.  "A  Reliability  Program 
for  R&D  Projects,”  Proceedings  of  the  IRE 
National  Convention,  The  Institute  of 
Radio  Engineers,  New  York,  N.Y. 

March  1957,  Part  10,  p.39 

3*  Blanton,  H.E.  "Reliability -Predict ion 
Technique  for  Use  in  Design  of  Complex 
Systems,"  Proceedings  of  the  IRE  National 
Convention,  The  Institute  of  Radio  Engineers 
New  York,  N.Y.  March  1957,  Part  10,  J>.  70 

4.  Reliability  Manual,  Document  No.  D2-3246, 
Aero-Space  Division,  Boeing  Airplane  Co. 
Seattle,  Washington.  August  1961, 

pp.  3.2. 1.2  - 3*2. 1.3. 8 

5*  Bird,  G.T.  "On  Reliability  Prediction  in 
Satellite  Systems . " Proceedings  of  the 
National  Aeronautical  Elec tonics  Conference, 
institute  of  Radio  Engineers,  Dayton,  Ohio, 
May  i960,  p.  204 


Promoting  the  state-of-the-art  by  a factor 
of  at  least  two  represented  a technical  challenge 
that  never  gave  us  cause  for  consternation  — we 
were  always  confident  that  although  formidable, 
the  technical  challenge  was  not  insurmountable, 
as  borne  out  by  later  predictions.  Of  greater 
concern  was  the  then  questionable  val- 


256 


257 


NOTE:  EACH  DATA  CONVERTER 
CONTAINS  VELOCITY 


258 


Figure  2.  Reliability  Model  - Active-Search  Mode,  Acq  Radar 


*1 


ANTENNA 
B RESOLVERS 


08  EOUIV. 
AEG 


rHlGH^  SPEED] 

I APPROACHING 

r~1  GATE,  LOGIC.  I 


|_  SWEEP  | 

l46EQuiv. 

AEG 


Figure  3 Rcli ability  Modfil  — TI  Rad or 


259 


2 

Sc 

o 


CO 

h- 

z 

UJ 

2 

UJ 

DC 

3 

O 

UJ 

tr 

> 

H 

-J 

CD 

< 

-J 

UJ 

a: 

(T 

UJ 

2 

CO 


o 

»- 


UJ 

o 


K 

U 

Ul 

UJ 

DC 


CO 

a> 

3 

o 

o 

o 

C-, 

<£>  C 

"O  CO 

C <& 
CD  Q 

(D  C£ 

£*  U 

« 25 

3 *=5 
U 

*t->  «*H 

(/>  o 

4->  rH 

c o 

CD  Jm 

E +-> 
<D  C 
a>  o 

CD  o 

c 

CD  >> 

S *■> 

• H 

Q «"H 

•H 

<£  X> 
CD 

cr:  .h 
r-H 
CZ  <D 

u 

u 

tD  ^ 

< O 


<D 

0 

bD 

•H 


260 


Table  1.  Complexity  of  Acquisition  Radar  - Active  Search  Mode 


m 

€3  P 

p u 

© 63 
P CL. 
M 

p t+4 

CD  O 


O 

in 


o 


o 

in 

vo 


CO 

VO 


o 

I'- 

ve 


VO 

©V 


r- 


Ov 

CO 

ov 


in 

VO 

I— 

o 

CM 


in 

VO 


CO 

CO 

VO 

CO 

CM 


in 

vo 

CM 


P 

c 

p 

o 

u 

to 

p 
U I 

CO 

CL 


m u 
*—t  e 
*rt  J-» 
O 

O X 

<0 

u 

o 

P 

•H 

o 

& 

a 

63 

o 

to 

u 

o 

p 


to 

4> 

CC 

« 

4) 

ns 

O 


to 

u 

O 

P 

CO 

*rt 

W 

C 

CO 

P 

H 

to 

4) 

-Q 

H 


o 

CO 


o 

CO 


VO 

o 


r— 

H 

CO 


VO 

Ov 


00 

uo 


in 

in 


CM 

r— < 

CO 


CM 

vO 


in 

co 


co 

Ov 


oo 

vo 


CO 

CO 


oo 

vo 


CO 

OV 


oo 

oo 

CO 


CM 


VO 

vo 


o 

o 

CO 

CM 


o 

o 

CO 


o 

o 

o 

Ov 


o 

o 


Ov 

o 

CM 


Ov 

oo 

CM 


r- 

CM 


o 

in 

CO 

ov 


CM 

ov 

CM 


a 

« 

< 


P 

C 

p 

o 

a 


w 

< 


> 

•H 

3 

© 

CO 

a 

w 

< 

CM 

a 

w 

< 


a 

w 

< 


g 

ZD 


in 

CM 


OV 

ov 


o in 

CM  co 


CO 

in 


CO 

in 


CO 


CO 

o 

CM 


CO 

CO 


T> 

4> 

u 

4) 

-o 

• H 

w 

c 

o 

a 


in 

CO 

P 

t 

i 

1 

co 

» 

CO 

o 

rH 

f-H 

2: 

4) 

> 

F—i 

. 

4) 

P 

P 

C 

E 

o 

£ 

G 

p 

4) 

< 

• 

a 

4i 

P 

03 

o 

P 

JG 

p 

6] 

£ 

G 

V 

P 

a 

P 

• 

4) 

< 

N 

4> 

4) 

CD 

P 

P 

■ H 

P 

c 

> 

CO 

L> 

u 

£ 

P 

O 

£ 

be 

1 

* H 

4) 

O 

•rt 

♦H 

O 

G 

a* 

E 

> 

P 

e 

P 

o 

• H 

w 

• H 

-C 

(0 

« 

Pp 

• 

£ 

4) 

u 

£ 

> 

CS 

o 

P 

CO 

O 

G 

to 

4) 

P 

o 

£ 

£ 

4) 

>- 

P 

r-H 

63 

a 

< 

H 

ee 

CD 

H 

W 

a 

iH 

CM 

co 

n 

VO 

t— 

CO 

cc 

££ 

CC 

cc 

CC 

QC 

CC 

CC 

o 

vo 

OV 


* 

o 

o 


(0 

Li 

o 

H 


Ov 

cc 


8 


26l 


Counts  of  part  classifications  in  the 


Table  2.  Complexity  of  Acquisition  Radar  - .lammed  Search  Mode 


— I CO 

CO  L> 

*->  (h 

O <0 

a 

-Q 

3 *«-. 
(/}  O 


O 

m 

VO 


CO 

VO 


co 

in 


o 

vO 

CM 


r—  | 

CO 


Os 

in 


o 

co 


co 

t}* 


.1 


r- 


o 

c 

3 

o 

CJ 

CO 

+-> 

tn 

cc 

Cl 


(0  f-i 

*— i E 

•H  U 

o ^ 

CJ  X 

CO 

o 

L> 

•H 

O 

CO 

a 

CO 

CJ 

CO 

f-4 

o 

4-> 

CO 

•H 

CO 

a> 

CC 

co 

a; 

TD 

o 


co 

(-4 

<L 

E 

U* 

O 

co 

c 

<0 

u 

H 

co 

a; 

-Q 

3 

H 


o 

co 


o 

co 


in 


co 

co 


VO 

r— 

CM 


VO 

ON 


in 

rH 

CM 


CM 


CO 

CM 


CO 

in 


o 

co 


o 

r— 


CM 

VO 

CM 


in 

i— i 

CM 


O 

w 

< 


c 

3 

o 

<J 


a 

w 

< 


3 

O- 

w 

CO  I 

CJ 

w 

< I 

CM  I 

CJ 

w 

< 


o\ 

os 


o 

CM 


OS 

CM 


CM 

f"- 

co 


00 

in 


CJ 

W 

< 


co 

CM 


4-> 

•H 

c 

CD 


03 

E 

CO 

e 

H 

L, 

(4 

3 

JQ 

V 

• H 

O 

0) 

E 

> 

3 

«+-i 

■u 

(0  4) 

•H 

O 

4-> 

e 

U (0 

O 

(0 

< 

•H  (0 

O 

•H 

<0  J? 

ing 

U*  c 
u u 

V 0 

4) 

CC 

4; 

CJ 

&C 

C 

C 

> 

> L> 

> 

•H 

c _ 

•rt 

•H  O 

•H 

4>  « 

4; 

4!  4) 

(0 

a 

4->  ► 

U 

O 4-> 

CO 

E 

c *r? 

4) 

4/  4; 

(0 

<0 

m 

< Q 

CC 

CC  Q 

d. 

C/) 

H 

CC 

CM 

CC 

CO 

cc 

CC 

in 

cc 

L> 

o 

H 


<o 

a 

T3 

C 

co 


O 

w 

< 


T3 

0) 

(4 

41 

-C 


4-> 

c 

3 

O 

u 

a 

co 


co 

a; 

JsC 

(0 


CC 

-a 

e 

(0 

CO 

CC 


L 

<V 


a co 
E C 

o o 

CJ  o 


<L 

±J 

o 


262 


ount  due  to  redundancy 


Table  3.  Complexity  of  Tracking  - Illuminator  Radar 


4-3 

and 

s 

u 

03 

■P 

0 

03 

< 0 

Oh 

O 

03  C E 

• H 

u 

4.3 

<u  0 CO 

g 

CO  03 

• H 

xs  G -p 

ZD 

c > 

B 

3 P CO 

G • — 1 

0)  0 

c o 

03 

G 

r— 1 03 

O ^ "O 

4-3  C/3 

cu 

CO 

G i-t  c 

G 03 

> 

G 

hH  CO 

< cc 

H 

w 

H 

cc 

CM 

cc 

CO 

CC 

G 

O 

CO 

03 

• H 

4-3 

• H 

be  D- 

0 

O 03 

H 

o3  *H 

J 03 

TJ 

£ 

< V 

O O 

- CO 

g 

> S 

03 

1 

G 

•P  03 

G 03 

0)  be 

CO  O 

03  O 

CO  G 

O G 

> G 

•H 

03 

• H *G 

03  3* 

no  G 

03  O 

be  0 

03  03 

O G 

G CO 

03  -G 

03 

CO  G 

D-  O 

CC  CO 

CC  H 

CO  U 

UO 

VO 

CC 

CC 

CC 

263 


RELIABILITY  EVALUATION  AND  ENVIRONMENTAL 
TESTING  OF  PRINTED- WIRING-BOARD  SOLDER  JOINTS 

Mark  L.  Hinkle 

Light  Military  Electronics  Department 
General  Electric  Company 
Utica,  New  York 


„<3  L 

' Abstract 

During  the  last  three  to  four  years, 
our  Reliability  and  Maintainability  Engi- 
neering group  has  conducted  a series  of 
reliability  tests  of  solder  (tin,  lead; 
60-40)  joints  on  printed-wiring  boards. 

The  following  discuss Ion  presents  only  a 
few  highlights  of  this  testing  and  eval- 
uation. 

In  particular,  the  results  and  con- 
clusions are  given  from  an  extensive  test 
configuration  that  evaluated  the  effect  on 
solder-joint  reliability  of  some  eight 
different  factors , These  results  have 
provided  us  with  definitive  quantitative 
solder- joint  failure  rates  upon  which  can 
be  based  availability- cost  tradeoffs  and 
preferred  prlnted-wlring-board  solder- 
joint  configurations  for  ultrahlgh  relia- 
Dility  even  with  high  rates  of  temperature 
cycling  and  temperatures  of  100°C, 

I  Introduction  and  Background 

It  Is  not  unusual  to  have  as  many  as 
130,000  solder  joints  In  a single  subsys- 
tem for  which  we  have  provided  printed 
wiring  boards,  A solder  joint  failure 
rate  between  0*1  and  0*001  X 10“^  per 
joint  operated  hours  would  contribute — on 
the  average — between  26  and  0.26  failures 
for  each  such  subsystem  during  a 2000- 
hour  operating  life*  As  electronic  com- 
ponent part  average  failure  rates  approach 
this  range  (0*1  to  0*001  x 10“®  failures 
per  operating  hour)  solder  joints  alone 
could  well  contribute  approximately  two- 
thirds  of  all  failures.  Therefore,  be- 
cause of  the  need  for  high -re liability 
single-time  missions,  and  also  because  of 
availability-cost  considerations,  solder- 
joint  failure  rates  between  1 X 10-9  and 

I X 10*12  failures  per  hour  are  a present 
need , 

II  Factors  Contributing  to  Failure 

Earlier  evaluations  of  the  many  fac- 
tors affecting  printed-wiring-board 
solder- joint  reliability* 1  indicated  that, 
after  cooling,  the  solder  joint  has  a 
complicated  pattern  of  internal  and  ex- 
ternal stresses.  These  stresses  result 
from  the  slightly  different  coefficients 
of  thermal  expansion  together  with  the 
Inability  of  a practical  manufacturing 
process  to  differentially  adjust  and  con- 
trol the  temperatures  of  each  material 


{solder,  board,  copper  runs,  eyelet,  and 
component  leads)  while  the  solder  is 
solidifying.  Subsequent  heating  and 
cooling  of  joints  through  component  heat 
dissipation  should  alternately  reduce  and 
then  re-establish  the  built-in  internal 
solder- joint  stresses , This  stress  cycling 
should  cause  solder- joint  fatigue  damage 
and  thereby  accelerate  solder- joint  fail- 
ure . 

Other  factors  contributing  to  failure 
are  the  decrease  in  strength  of  tin-lead 
(60-40)  solder  at  high  temperature2  and 
after  high- temperature  aging.  The 
strength  of  this  solder,  after  1000  hours 
at  10Q°C,  is  reduced  to  approximately  10 
percent  of  its  Initial  value . The  percent 
of  Initial  strength  versus  time  is  approxi- 
mately a negative  exponential  function. 

The  above  considerations  led  to  the 
successful  development  of  11  high- tempera  ture- 
cycle”  and  "medium- temperature -cycle”  en- 
vironmental tests*  for  accelerated  environ- 
mental evaluation  of  printed-wiring -board 
solder- joint  reliability. 

Ill  Verification  that  a Temperature 

Cycling  Technique  would  Accelerate 

Solder-Joint  Failures 

A pilot  test  was  run  to  determine 
whether  solder  joint  failures  could  be 
accelerated  by  temperature  cycling*  Ten 
printed  wiring  boards  of  l/l6-inch  XXX-P 
phenolic,  each  containing  sixty  one -watt, 

10- ohm  composition  resistors  connected  in 
series,  to  give  a population  of  1200 
solder  joints  were  tested.  A high- 
temperature  cycle  (from  25 °C  to  about 
97 °C  and  return  to  25°C  every  30  minutes) 
was  accomplished  by  applying  130  volts  to 
each  board  for  20  minutes  {dissipating 
0,47  watts  per  resistor)  and  then  cooling 
with  a fan  during  a 10-mlnute  power-off 
period,  A mild  vibration  was  applied 
during  the  testing.  Ten  failures,  dis- 
tributed between  53  and  6091  hours  of 
testing,  definitely  established  that  tem- 
perature cycling  accelerated  solder  joint 
failures , 

♦Other  approaches  to  the  problem  of  accel- 
erated testing  were  taken*  One  of  these, 
thermal -shock  testing,  may  be  of  more  than 
academic  interest.  It  was  found  that  ther- 
mal shock  tended  to  increase  solder-joint 
reliability.  Details  appear  in  Appendix  3* 


26^ 


IV  Extensive  Test  Design  Configuration 

Prior  evaluations  and  test  results 
were  used  as  the  basis  for  constructing 
a test  designed  to  determine  and  evaluate 
the  effect  on  printed  wiring  board  solder 
joints  of*  (l)  type  of  joint;  (2)  board 
material;  (3)  board  thickness;  (4)  hand 
touch-up  of  solder  joints;  (5)  removal 
and  replacement  of  components:  (6)  method 
of  repair  of  failed  parts;  (7)  tempera- 
ture; (8)  vibration.  The  first  four  are 
design  and  process  factors;  the  fifth  and 
sixth  are  user  reliability  considerations, 
the  seventh  and  eighth  affect  both  design 
and  use*  Design  choices  among  the  first 
four  factors  will  be  made  in  the  light  of 
the  environmental  effects  revealed  by 
these  temperature  and  vibration  tests. 
Following  is  a complete  list  of  the  levels 
of  the  eight  factors  tested. 

1-  Joint  Types  (design  configurations, 
see  Figure  1*) 

a.  Standard  (eyelet  only) 

b . Plated  through  with  eyelet 

c.  Plated  through  without  eyelet 

d . Molded  plated  through 

2,3*  Printed  Wiring  Board  Materials  (2) 
and  Board  Thickness  (3) 

a.  XXXP-Phenolic  (1/16 -inch  and 
1/8 -inch) 

b.  Epoxy  Glass  (l/l6-inch) 

c.  Diallyl  Fhthalate  (l/l6-inch— 
molded) 

4 . In-process  Manufacturing  and 
Touch-up  of  Solder  Joints 

a,  with  touch-up 

b . without  touch-up 

5-  Removal  and  Replacement  of  Com- 
ponents Before  Test 

a,  with  removal  and  replacement 

b.  without  removal  and  replace- 
ment 

6.  Two  Methods  of  Repair  of  Failed 
Joints 

a . with  removal  of  old  solder 

b.  without  removal  of  old  solder 
7 * Temperature  Environments 

a.  High  temperature  cycle 

b . Medium  temperature  cycle 

c.  High  temperature  aging  (lOO°c) 

d.  Room  temperature  aging  (25°C) 

8,  Vibration  During  Life  Test 

a.  with  vibration  (l  g rms  at  the 
end  of  each  500  hours  of  life  test  for 
30  minutes,  sweeping  through  the 
boards  resonant  frequency  in  every 

3 minutes  and  40  seconds) 

b , without  vibration 

The  test  design  selected  was  neces- 
sarily a very  small  subset  of  the  4 2 X 
3 X 2b  *.  1539  tests  that  would  have  been 
required  for  complete  factorial  represen- 
tation of  the  levels  of  all  factors  that 

* 1 1 1 u s t r a tlo hs  app e a r at  end  of  paper 


could  have  been  evaluated.  Conclusive 
results  were,  however,  obtained  for  all 
of  the  factors  that  were  evaluated . 

Table  I gives  the  distribution  of 
printed  wiring  board  sample  sizes  for  the 
factors  indicated . Random  samples  of  the 
board  populations  were  selected  for  the 
test  conditions . Removal  and  replacement 
of  components,  touch-up  of  solder  joints, 
and  repair  of  solder  joints  were  per- 
formed upon  subsamples  of  the  eyelet  only, 
high -temperature -cycle  test  conditions , 
Samples  receiving  vibration  were  re- 
moved from  the  temperature  environment 
and  vibrated  at  25° C and  then  returned  to 
test.  Each  printed  wiring  board  used  in 
the  tests  had  100,  one -watt,  10-ohm  com- 
position resistors  connected  in  series, 
giving  a population  of  200  solder  joints 
for  each  board  indicated  in  Table  I.* 

The  solder- joint  temperature  environments 
were  generated  in  the  following  manner. 

A . High  Temperature  Cycling  (Fig  * 2 ) 
Each  board  was  connected  to  160  volts, 
giving  a 0.256  watts/resistor  dissi- 
pation to  heat  the  solder  joints  from 
25° C to  a maximum  of  100 °C  within  20 
minutes,  A motor  cam  mechanism  then 
turned  off  power  and  turned  on  a fan 
to  cool  to  the  25°C  within  10  minutes, 

B.  Medium  Temperature  Cycling  (Fig.  3) 
The  boards  were  heated  from  25°  C to 
35°C  in  25  minutes,  by  blowing  air 
across  two  600-watt  heaters.  Then 
O.65  volts  was  applied  to  the  boards, 
dissipating  0 .042  watts  per  resistor, 
and  heating  the  solder  joints  to  45°C 
in  30  minutes . After  2 1/2  hours  at 
45°C,  cool  air  was  blown  across  the 
boards  returning  the  solder  joints  to 
25° C in  30  minutes  where  they  remained 
for  three  hours . 

C.  High  Temperature  Aging,  The  sam- 
ples were  heated  in  an  over  at  1G0°C. 

D.  Room  Temperature  Aging.  The  am- 
bient temperature  was  25 ~C . 

V Results  and  Conclusions  on  the 
Factors  Evaluated 

The  following  conclusions  were  made 
on  the  basis  of  the  test  results  summarized 
in  Tables  II  and  III.  Although  estimated 
final  cumulative  failure  rates  are  given 
In  Table  III,  for  many  sample  test  condi- 
tions the  hazard  rate  was  not  constant 
across  time;  in  addition,  the  distribution 
of  failures  between  the  boards  in  some 
cases  indicated  definite  board-to-board 


^Tables  appear  at  end  of  paper 


266 


differences  within  a sample.  The  latter 
effects  are  discussed  in  Section  VI*  and 
Appendices  1 and  2 * 

The  following  are  the  conclusions 
reached  upon  each  of  the  factors  evaluated 
in  the  test; 

1*  Joint  Types  (Table  II ) * The 
plated-  througTT  hole  * solder  joint  is 
the  only  solder  joint  configuration 
that  should  he  used  for  high  relia- 
bility for  high -tempo nature  environ- 
ments from  50°  to  100 °C  when  tempera- 
ture cycling  effects  are  present . No 
preference  for  any  of  the  three  types 
of  plated  through  configurations  eval- 
uated has  been  shown, 

2 ) 3 . Board  Material  and  Thickness 
(Table  II).  At  temperature  cycling 
to  a maximum  of  45°  C*  where  avail- 
ability-cost tradeoffs  indicate  an 
eyelet-only  construction  has  a satis- 
factory reliability*  the  order  of 
preference  for  board  materials  and 
thickness  is : 

A.  1/16'1  epoxy  glass: 

solder  joint  failure  rate  approxi- 
mately 0,05  x 10-6  failures  per  joint 
operated  hour.  Longevity:  exceeds 
5720  hours 

B.  l/8n  XXX-P  Phenolic  (not 
tested  in  medium - temperature  cycling 
environment ) 

C.  1/16"  XXX-P  Phenolic:  solder 
joint  failure  rate  approximately 
2,6  X 10“°  failures  per  joint  oper- 
ated hours.  Longevity:  exceeds  1000 
hours . 

H , In-Process  Manufacturing  Hqnd 

Touch-up  of  Solder  Joints  (Table 
III)  . Indicated  slight  improve- 
ment  on  r,eyelet-onlyT!  solder  joints 
at  high  temperature  cycling  environ- 
ment ■ No  improvement  indicated  at 
medium  temperature  cycle.  Therefore* 
it  was  recommended  that  in-process 
hand  touch-up  of  solder  joint  be  dis- 
continued as  uneconomical;  however* 
this  does  not  preclude  process- 
shutdown  and  corrective  action  when 
the  solder  joints  of  a printed  wiring 
board  fail  to  pass  inspection, 

5 ,  Removal  and  Replacement  of  Com- 
ponents Before  Test  (Table  III) , 

Careful  removal  and  replacement  of 

all  100  resistors*  by  hand  soldering* 

on  two  l/l 6 Tl  epoxy  glass  boards  and 
two  l/l6IT  XXX-P  Phenolic  boards*  all 

with  an  "eyelet-only5 * * * * * 11  construction* 

indicated  that  reliability  during 

high  temperature  cycling  was  not  de- 
graded* but  improved — if  compared 
with  the  other  10  boards . The  solder 
(removed  and  replaced)  joint  samples 
also  had  failure  rates  approximating 


those  for  the  touched-up  joints  on 
similar  boards , 

6 . Repair  of  Failed  Joints  (Table  III) 

XT  Af  ter  482  hours  of  high- teni- 

perature  cycling  and  a 1 560 -hour 
storage  delay*  the  solder  joints  of 
the  1/8"  and  l/l6u  XXX-P  Phenolic 
boards  were  repaired , The  solder 
joints  repaired  by  melting  the  solder 
with  an  induction  heating  machine  and 
removing  all  solder  before  resoldering 
consistently  indicated  a failure  rate 
less  than  the  original  failure  rate  of 
the  sample  from  which  they  came  - This 
was  not  true  for  the  solder  joints 
that  were  resoldered  by  touch-up  of 
the  failed  joint  without  removing 
the  solder, 

7 . Temperature  Environments  (Table  II) 

The  order  of  severity  of  the~  test- 

environments  In  accelerating  solder 
joint  failures  was: 

A,  High -temperature  cycling 

B,  Medium- temperature  cycling 

C , High- temperature  aging 

D,  Room- temperature  aging 
These  effects  were  noted  as  being  a 
combination  of  accelerating  the  time 
of  occurrence  of  first  failures*  as 
well  as  accelerating  the  rate  of  fail- 
ure rate  increase  after  the  incidence 
of  first  failures, 

8 - Vibration  During  Life  Test . By 
conducting  vibration  at  discrete  times 
after  each  500  hours  of  temperature 
cycling*  and  checking  the  solder  joints 
before  the  vibration  testing*  it  was 
established  that  failures  occurred 
during  the  vibration  testing.  These 
failures  are  attributed  to  the  com- 
bined effects  of  decreased  solder 
joint  strength  during  temperature 
cycling*  and  final  detection  of  the 
Intermittent  or  open  condition  after 
vibration, 

VI  Comparison  of  Test  Results  with 
Field  Operational  Data 

An  Indicated  solder- joint  failure  rate 
of  0,0003  X 10-6  failures  per  joint  oper- 
ated hour  has  been  obtained  from  field 
operational  failure  datav  for  the  Polaris 
fire  control  system.  One  solder  joint 
failure  has  occurred  after  over  three 
billion  solder- joint  operated  hours.  The 
maximum  local  ambient  temperature  cycled 
to  in  this  equipment  Is  about  35°C  or 
10°C  below  the  45°C  of  the  medium- 
temperature  cycle  of  the  laboratory  test. 
This*  in  part--lf  not  entirely--explains 
the  different  solder  joint  failure  rate 
of  0,05  X 10"6  failures  per  hour  for  l/l6lf 
thick  epoxy  glass  boards  with  an  eyeleted 
(not  plated  through)  solder  joint*  in  the 


267 


laboratory  medium- temperature -cycle  en- 
vironment . 

The  solder- joint  failure  rate,  for 
approximately  the  same  solder- joint  con- 
figuration as  above  (same  type  of  board 
and  joint  construction),  from  field  data 
for  the  IMED  final  MIT  Polaris  Guidance 
Computer^  indicates  0.03  X 10~6  failures 
per  joint  operated  hours . This  is  for 
three  failures  during  approximately  100 
million  solder- joint  operated  hours . This 
later  failure  rate  is  for  a maximum  local 
ambient  temperature  near  the  45° C maximum 
temperature  of  the  laboratory  medium- 
temperature-cycle  testing  mentioned  above, 
and  indicates  the  relative  severity  of  the 
laboratory  temperature  cycling  testing 
(about  twice  that  of  field  operation  use, 
i.e.  0.05  X 10-6/0.03  X 10-6  = 1.7). 

The  most  likely  explanation  for  this 
difference  is  that,  for  the  field-operated 
equipment,  the  45° C represents  the  local 
maximum  ambient  temperature  which  only  a 
small  percentage  of  solder  joints  approach, 
while  in  the  laboratory  testing  all 
solder  joints  were  cycled  to  within  about 
3°C  of  the  45 °C  maximum. 

VII  Special  Methods  of  Analysis 

Applied  to  Some  Comparisons 

The  probability  of  chance  occurrence 
of  the  result  indicating  the  preferred 
type  of  joint--plated-through  construc- 
tion--is  less  than  7 X 10-'  even  based 
upon  nonparametric  run  theory  (Appendix 

n • 

Reference  to  Figures  4A  and  5 A indi- 
cates that  for  the  best  standard  (eyelet 
only)  solder  joints  tested  all  boards 
failed  earlier  than  2000  hours,  while 
none  of  the  plated-through  joints  had 
failed.  Figures  4b  and  5B  give  hazard 
rates  . 

The  preference  for  the  l/8n  XXX-P 
Phenolic  is  based  on  the  high- temperature 
test  results.  (See  Figures  6B  and  7B  for 
the  summary  of  the  worst  1/8"  sample  and 
compare  with  Figures  8b  and  9B  for  the 
1/16"  samples.)  For  the  1/16"  samples, 
instantaneous  hazard  rates  of  700  and 
24  X 10-6  occurred  at  or  before  180  hours, 
while  for  the  worst  1/8"  sample  (Figure 
6b)  the  hazard  rate  does  not  exceed  20  X 
10“6  until  between  180  and  282  hours. 

(The  variability  in  the  distribution  of 
failures  between  boards  is  well  illus- 
trated by  Figure  6A  and  Figure  Jk.  This 
variability  is  not  as  extreme  as  that  ob- 
tained with  one  of  the  l/l6"  XXX-P 
Phenolic  board  samples  in  the  medium- 
temperature-cycle  testing . ) 

The  conclusions  on  touch-up,  removal 
and  replacement,  and  methods  of  repair 
were  based  upon  comparison  of  the  failure 
rates  for  each  condition  as  compared  with 
the  failure  rates  for  the  Initial  virgin 
joints  for  that  same  sample.  This  may  be 


illustrated  by  considering  the  two  methods 
of  repair  of  solder  joints . With  refer- 
ence to  Figure  3A,  the  samples  of  32  and 
272  joints  repaired  by  first  removing  all 
old  solder  indicated  subsequent  failure 
rates  of  0 and  12  X 10“^,  both  below  that 
for  the  original  virgin  joints.  This  was 
also  true  for  the  other  repair  method  on 
the  l/l6"  XXX-P  Phenolic  boards . However, 
repair  on  the  1/8"  boards  without  re- 
moving the  old  solder  indicated  an  in- 
creased failure  rate  when  compared  to  the 
original  joints . The  variability  in  re- 
sults obtained  when  the  old  solder  was 
not  removed  could  be  explained  by  the  care 
taken  In  resoldering  to  obtain  a complete 
remelt  of  the  old  solder.  This  is  known 
to  be  desirable.  With  the  preferred 
method  not  only  is  a complete  melt  of 
solder  obtained  but  new  solder  is  used . 
Therefore,  the  removal  of  old  solder  was 
preferred . 

Since  none  of  the  plated-through 
solder  joints  had  failed  after  4000  hours 
of  high  temperature  cycling,  a few  of 
these  solder  joints  were  selected  for  a 
qualitative  microscopic  examination  to  de- 
termine if  there  was  any  indication  of 
incipient  failure.  Figure  10  is  a 25- 
power  magnification  of  a section  of  such 
a solder  joint  which  had  a slight  peri- 
pheral surface  crack  in  the  solder  around 
the  eyelet . No  evidence  of  the  crack 
propagating  could  be  detected. 

Summary 

This  paper  has  described  the  develop- 
ment of  a high-temperature-cycling  test 
which  is  most  severe  for  reliability 
testing  of  solder  joints.  The  results  of 
laboratory  medium- temperature -eye ling 
tests  have  been  compared  with  field  test 
results  to  indicate  quantitatively  the 
severity  of  this  test  level  . It  is  not 
known  what  the  reliability  of  these  plated- 
through  joint  types  is,  even  at  the  high 
temperature  cycle  test  conditions.  But 
failure  rates  less  than  0.01  X 10“^  per 
joint  operated  hour  are  indicated  as 
feasible  even  at  operating  temperatures 
to  100°C  with  extreme  temperature  cycling. 
How  much  lower  these  failure  rates  will 
be  at  maximum  operating  temperatures  of 
about  45°C  is  not  known  at  this  time  and 
may  not  be  known  for  a few  years. 


Acknowledgements 

The  author  wishes  to  recognize  the 
contribution  of  a few  of  the  many  people 
who  contributed  to  these  investigations: 
Mr.  G.  Henry,  General  Electric  Com- 
pany, Ordnance  Department,  Reliability; 
and  Mr.  S.  Mereurio,  General  Electric 
Company,  Light  Military  Electronics  De- 
partment, Polaris  Reliability;  for  recent 


268 


field  data  corroborating  the  realism  and 
failure  rate  levels  of  the  laboratory 
testing.  Messrs.  W.  Jezowski  and  D.  Yeaton 
of  the  Light  Military  Electronics  Depart- 
ment's Advanced  Manufacturing  Development 
group  and  Quality  Control  group  respec- 
tively, for  cooperation  prior  to  and  dur- 
ing testing.  Mr.  C.  J.  Cadieux  (LMED 
Manager  of  Reliability  Engineering)  and 
Messrs.  H.  L.  Benjamin  and  R.  Santin,  for- 
merly of  LMED  Reliability  Engineering, who 
initiated  the  investigation.  Mr.  Cadieux, 
who  has  been  instrumental  in  implementing 
the  results  and  has  encouraged  this  pre- 
sentation, deserves  particular  thanks . 
Finally,  the  author  wishes  to  express 
appreciation  to  the  two  persons  who  per- 
formed much  of  the  testing  and  the  fine 
details  involved  in  the  test  setup, 
failure  detection,  and  the  recording  of 
detailed  solder  joint  failure  logs:  Messrs. 
E.  Mails  and  R.  Malmgren. 


Appendix  1 


Run  Theory  Probability 


Since  there  were  differences  between 
boards  within  the  same  sample,  and  also 
large  differences  (particularly  in  the 
high- temperature -cycle  environment)  be- 
tween samples  in  the  hazard-rate  variation 
across  time,  nonparametric  run  theory  is 
a valid  method  for  making  comparisons  be- 
tween samples . This  method  does  not  de- 
pend  upon  any  assumption  of  failure  dis- 
tribution across  time  and  is  sensitive  to 
differences  between  boards  within  a sam- 
ple . 

The  following  probability  indicates 
that  there  are  only  seven  chances  in  ten 
million  identical  experiments  of  all- 
twelve  boards  of  one  test  sample  failing 
earlier  than  those  of  another  test  sample 
if  the  samples  are  of  equal  reliability? . 


Prob=2 


' 12  11  10  9 8 7 6 5 

"25  “ ‘SJ  • 22  • 2T  ”2^  * * IH  ' 17 


4 3 2 ll 

16  ' 15  ’ * 13J 


= 7.4  X 10"7 


In  general,  the  probability  of  a particu- 
lar number  of  runs  K (number  of  groups  of 
like  elements  being  adjacent)  happening 
when  there  are  r1  elements  of  one  kind 
and  rg  elements  of  the  other  kind  is-^: 


)A  * 
means  — ^ ov 

(A-B) IB! 

the  number  of  combinations  of  A objects 
taken  B at  a time. 


Appendix  2 


Failure  Histories  Versus  Time 

Originally,  it  was  intended  to  com- 
pare the  results  of  the  different  test 
conditions  on  the  basis  of  the  parameters 
of  the  usual  failure  distributions  such 
as  the  exponential  or  the  Weibull  distri- 
bution. However,  it  is  now  believed  that 
the  selection  of  the  most  critical  fatigue - 
accelerating  environments  for  solder  joints, 
namely,  temperature  cycling,  changes  both 
the  location  parameter  and  shape  para- 
meter of  a possible  Weibull  distribution 
for  the  early  test  time,  i.e. 

R(t).e-[XW)F 

It  was  also  found,  however,  that  the  haz- 
ard rates  z(t)  in  the  accelerated  high- 
temperature  -cycle  environment  did  not  con- 
form to  any  of  the  usual  distributions . 
Therefore,  the  actual  hazard  rates  for 
each  test  condition  were  computed.  Figures 
4b  to  9B  are  examples  of  the  estimates  of 
the  instantaneous  Z(t)  and  cumulative  z(t) 
computed  as  follows: 

- [r( t + At)  - R( t )~j 
At  • R(t) 

2 .KU)  - N(t  + At) 

At  • N( t ) 

where:  R(t)  is  the  percent  surviving  at 
time  t, 

N(t)  is  the  number  surviving  at 
time  t . 


z(t) 


- dR(t) 
dt 


R(t) 


Appendix  3 

Evaluation  of  Liquid -Nitrogen  Thermal- 
Shock  Testing  to  Locate  Potential  Failures 

Concurrent  with  an  initial  pilot  test 
to  determine  if  temperature  cycling 
could  be  used  to  obtain  accelerated  solder 
joint  failures  with  failure  modes  that 
resembled  those  of  field-operation  failure, 
a final  evaluation  of  a liquid-nitrogen 
thermal-shock  testing  technique  was  made. 
This  test  method  was  intended  to  either 
detect  weak  solder  joints  or  to  provide 
a conditioning  that  would  enable  early  de- 
tection during  life  test  of  such  intrin- 
sically weak  joints.  The  results  of  this 
testing  are  referenced  because  they  indi- 


269 


References 


cated  an  inverse  effect  on  solder-joint 
reliability  of  this  particular  short-term 
stress  testing.  However*  component  part 
reliability  considerations --damage  during 
this  thermal  shock — precluded  using  this 
inverse  effect  to  improve  solder  joint 
reliability. 

The  conclusions  are  based  upon  the 
following  test  evaluation,  A sample  of 
20  printed  wiring  boards  was  selected. 
These  were  1/16"  1GQC-P  Phenolic  boards,, 
each  containing  sixty  one -watt*  10-ohm 
composition  resistors  connected  in  series 
giving  a population  of  2*100  solder  joints  . 
A random  sample  of  10  of  the  20  boards  was 
subjected  to  12  cycles  of  thermal  shock: 
from  80°C  to  12  seconds  in  liquid  nitro- 
gen. (prior  thermocouple  measurements 
indicated  that  the  solder  joints  cooled 
below  -185°C  within  six  seconds*  while 

11  to  12  seconds  was  required  for  the 
board  temperature  to  stabilize  below 
-135°C , ) All  twenty  boards  were  then  sub- 
jected to  the  high-temperature  cycle  life- 
test  conditions , The  results  after  6600 
hours  of  life  test  were: 

1*  None  of  the  solder  joints  given 

12  cycles  of  thermal  shock  failed  during 
thermal  shock  testing . 

2-  Only  one  solder  Joint  of  the  1200 
thermal -shocked  joints  failed  during  sub- 
sequent life  test, 

3 . Ten  solder  joints  of  the  other 
1200  solder  joints  failed, 

4,  Twenty-four  resistors  on  the 
thermal -shocked  boards  failed  during  life 
test.  No  resistors  failed  on  the  other 
boards , 

During  testing*  detailed  examination 
of  all  the  resistors  on  the  test  boards 
Indicated  there  were  radial  hairline 
fractures  in  the  body  area  of  some  of  the 
resistors  on  the  thermal -shocked  boards. 
These  resistors  subsequently  failed  dur- 
ing the  life  testing . 


1 . 11 Evaluation  of  Techniques  for  Locating 
potential  Solder  Joint  Failures  on 
Printed  Wiring  Boards'1*  General  Elec- 
tric Technical  Information  Series* 
R53EML11*  by  R,  Sant in*  dated  April 
15,  1959  - 

2,  "Solder" * Publication  of  Federated 
Metals*  Division  of  American  Smelting 
and  Refining  Company, 

3-  "Thirteenth  Numerical  Reliability 

Summary  Polaris  Fire  Control  Mariner 
II  NWA  Tender  Shore  Support  Submarine" 
prepared  by  General  Electric*  Ordnance 
Department*  Reliability  Unit*  100 
Plastics  Ave , * Pittsfield*  Mass ,* 
dated  November  9*  I960, 

4,  "Failure  Trends  and  Corrective  Action 
Report  No , 1 Polaris  Guidance  Mark  I" 
prepared  by  General  Electric*  Ordnance 
Department*  Reliability  Unit*  100 
Plastics  Ave,*  Pittsfield*  Mass.*  dated 
January  15*  1962. 

5*  Feller*  W.*  "An  Introduction  to 

Probability  Theory  and  Its  Applica- 
tion" * John  Wiley  and  Sons*  Incor- 
porated * 195^,  page  57- 


270 


Table  I.  Test  Plan 


Board 

Type 

Subjected 

To 

Vibration 

NUMBER  OP  BOARDS  ON  TEST 

Hand 

Touch-Up 

High 

Temperature 

Cycle 

Medium 

Temperature 

Cycle 

High 

Temperature 

Aging 

Room 

Temperature 

Aging 

EPOXY  GLASS 

YES 

YES 

12 

12 

NO 

12 

NO 

YES 

12 

11 

NO 

12 

12 

12 

12 

ONE-SIXTEENTH 

TMPU  VYYP 

YES 

YES 

12 

12 

NO 

12 

Uivil  AAAJr 

(Standards) 

NO 

YES 

12 

12 

NO 

12 

12 

12 

ONE-EIGHTH 
INCH  XXXP 
(Standards) 

YES 

YES 

NO 

15 

NO 

YES 

NO 

15 

fcPOXY  GLASS 
Plated  Through 
With  Eyelet 

YES 

YES 

NO 

15 

NO 

YES 

NO 

15 

15 

EPOXY  GLASS 
Plated  Through 
Without  Eyelet 

YES 

YES 

NO 

15 

NO 

YES 

NO 

15 

15 

MOLDED 
Plated  Through 
Without  Eyelet 

YES 

YES 

NO 

25 

NO 

YES 

NO 

25 

271 


TABLE  II.  TEST  DATA 


High 

Temperature 

Cycle 

Medium 

Temperature 

Cycle 

High 

Temperature 

Aging 

Room 

Temperature 

Aging 

Board  Type 

G 

a 

1 

1 

0, 

0 

1 

JZ 

0 

3 

0 

h 

Number  of 
Joints 

G 

O 

» 

£ B 

Sr" 

WE-« 

Failures* 

Number  of 
Joints 

Hours  on 
Test 

fl- 

ea 

n 

a 

i 

Number  of 
Joints 

G 

0 

w 

^ tj 

0 o- 
Xfr 

fl- 

ea 

at 

U 

F-f 

nJ 

lx. 

Number  of 
Joints 

Hours  on 
Test 

* 

w 

at 

g 

p — 1 
£ 

EPOXY  GLASS 
{Standards) 

Yes 

Yea 

2,  400 

2,  000 

IT 

250 

2,  400 

2,000 

0 

2,  400 

5,720 

2 

Yes 

2,400 

5,720 

0 

2,  200 

11,  250 

0 

2,  000 

2,  000 

IT 

193 

2,  400 

5,720 

0 

2,  400 

2,  000 

0 

2,  400 

11,250 

0 

ONE -SIXTEENTH 
INCH  XXXP 
(Standards) 

Yes 

Yea 

2,  400 

2,000 

221 

2,  400 

2,  000 

IT 

4 

2,  400 

5,720 

170 

Yea 

2,  400 

5,720 

32 

2,400 

11, 250 

0 

2,  000 

2,000 

706 

2,  400 

2,  000 

0 

2,  400 

11, 250 

0 

ONE-EIGHTH 
INCH  XXXP 
(Standards) 

Yes 

Yes 

3,000 

1,  GOO 

142T 

185 

Yes 

3,000 

1,  500 

13T 

SO 

EPOXY  GLASS 
Plated  Through 
With  Eyelet 

Yea 

Yea 

3,000 

4,000 

0 

Yes 

3,000 

4,  000 

0 

3,  000 

5,720 

0 

EPOXY  GLASS 
Plated  Through 
Without  Eyelet 

Yes 

Yea 

3,000 

4,000 

0 

Yea 

3,000 

4,000 

0 

3,  000 

5,  720 

0 

MOLDED 
Plated  Through 

Yes 

Yea 

5,000 

4,  000 

0 

Without  Eyelet 

Yes 

5,000 

4,  000 

0 

*Top -joint  failures  are  designated  by  a T following  the  number;  all  others  are  bottom -joint  failures. 


272 


TABLE  IH.  FAILURE  RATES  OF  HIGH  AND  MEDIUM  TEMPERATURE  CYCLES 


* Re  paired  by  removing  all  old  solder 
*01d  solder  not  removed 

Failure  Rates  are  in  failures  per  million  joint  hours  of  test 


o 

£ 


hs 

Q >H 

p 

HmEl] 
k ^ Eh 


cm 


274 


CO 


TEMPERATURE  {“  C) 


TOP  OF  BOARD 


THERMOCOUPLE  NO.  4 


THERMOCOUPLE 
NO.  3 


THERMOCOUPLE  NO.  I 


FAILURE  RATE  X 10 


HIGH  TEP 

4F,  CYCLE 

FAILURES  PER  BOARD 

Life 

Total 

Board 

No. 

Test 

Hours 

Failures 

1 

2 

3 

4 

5 

8 

7 

8 

9 

10 

LI 

12 

482 

897 

8 

1 

1 

1 * 

3 

1 

1 

1 

1800 

39 

2 

1 

5 

6 

1 

8 

1 

1 

7 

9 

1264 

77 

2 

2 

8 

U 

12 

14 

1 

5 

14 

12 

1500 

137 

9 

Z 

5 

15 

23 

20 

21 

1 

2 

7 

24 

19 

2000 

193 

13 

4 

11 

23 

35 

32 

25 

2 

2 

10 

33 

30 

These  two 
boards  had 
all  their  com- 
ponents re- 
moved and  re- 
placed, Their 
failures  are 
not  Included 
In  totals  at 
left. 

* Top  Join! 


(A) 


(B) 


277 


FAILURE  RATE  X lo' 


HIGH  TEMP* 

CYCLE 

FAILURE  PER 

board 

Life 

Test 

Hours 

Total 

Failures 

Board  No, 

1 

2 

3 

4 

5 

6 

7 

a 

9 

1 0 

1 L 

12 

500 

VIB  I 

3 

3 

1002 

36 

5 

10 

J 1 

10 

VIB  11 

36 

5 

10 

1 1 

10 

1194 

70 

7 

16 

1 

20 

7 

3 

3 

7 

u 

2 

1 

1500 

151 

12  , 

20 

5 

27 

0 

1 1* 

20 

10 

20 

7 

3 

VJB  III 

177 

14 

22 

5 

29 

10 

15 

20 

21 

27 

0 

3 

1764 

Z06 

16 

24 

5 

34 

14 

10 

20 

22 

30 

10 

2 

4 

2000 

250 

19 

32 

6 

37 

16 

23 

35 

27 

39 

14 

6 

5 

# One  Top  Joint  Failed 


278 


FAILURE  RATE  X 10 


HIGH  TEMP  CYCLE 

FAILURES  PER  BOARD 

Life 

Test 

Hours 

Board  No, 

Total 

Failures 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15  i 

1B0 

12 

3 

5 

2 

2 

282 

72 

12 

20 

35 

5 

426 

83 

20 

23 

35 

5 

505 

105 

23 

30 

42 

10 

1560 

AGING 

117 

24 

31 

48 

13 

1 

VIB 

135 

26 

33 

50 

13 

13 

1000 

161 

32 

36 

3 

57 

3 

17 

13 

VIB 

166 

34 

36 

1 

3 

58 

3 

17 

14 

1500 

178 

34 

39 

I 

4 

61 

1 

4 

20 

14 

VIB 

185 

36 

1 

41 

l 

4 

61 

1 

4 

20 

15 

1 

(A) 


279 


FAILURE  RATE  X 10 


HIGH  TEMP.  CYCLE 

FAILURES  PER  BOARD 

Life 

Board  No.  1 

1 esx 
Hours 

1 otai 
Failures 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

330 

1 

1 

1560 

AGING 

23 

1 

14 

7 

1 

505 

VIB 

33 

1 

19 

1 

11 

1 

529 

36 

1 

19 

3 

1 

11 

1 

553 

37 

1 

20 

3 

1 

11 

1 

649 

39 

1 

21 

3 

1 

1 

11 

1 

697 

48 

1 

5 

21 

1 

1 

1 

n 

1 

715 

52 

1 

5 

21 

H 

1 

2 

3 

11 

1 

787 

54 

1 

5 

23 

I 

1 

2 

3 

11 

1 

883 

55 

1 

5 

23 

::’i 

1 

2 

3 j 

12 

1 

1000 

64 

1 

9 

27 

1 

3 

3 

12 

VIB 

93 

7 

1 

10 

31 

1 

6 

1 

17 

fifl 

1264 

95 

8 

1 

10 

31 

10 

1 

6 

17 

H 

1500 

129 

8 

1 

14 

34 

13 

1 

1 

20 

1 

21 

mm 

VIB 

142 

9 

1 

15 

37 

13 

H 

3 

23 

■ 

24 

H 

CA) 


(B) 


280 


FAILURE  RATE  X 10 


HIGH  TEMP. 

CYCLE 

FAILURES  PER  BOARD 

Life 

Total 

Failures 

Board  No. 

Test 

Hours 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

1 1 

12 

180 

253 

22 

40 

53 

11 

36 

63 

28 

3 

260 

339 

27 

72 

70 

15 

46 

79 

30 

3 

482 

499 

40 

13 

94 

95 

21 

54 

88 

13 

51 

30 

5 

AGING 

539 

42 

13 

106 

97 

25 

66 

88 

13 

53 

36 

5 

6 

1000 

660 

53 

18 

121 

112 

32 

76 

119 

19 

62 

48 

6 

8 

1500 

748 

72 

25 

137 

117 

38 

87 

127 

20 

72 

53 

8 

6 

2000 

796 

81 

28 

142 

121 

42 

89 

135 

21 

78 

59 

8 

6 

j 

These 
board 
all  th< 
compc 
remo' 
re  plat 
Their 
ures  i 
indue 
totals 

! two 
s had 
sir 

?nents 
vred  and 
zed. 
fail- 
are  not 
led  in 
at  left. 

i 

(A) 


281  (B) 


FAILURE  RATE  XIQ 


HIGH  TEMP 

CYCLE 

FAILURES  PER  BOARD 

Life 

Teel 

Hours 

Total 

Failures 

Board  No, 

1 

2 

3 

4 

5 

6 

7 

B 

0 

10  ' 

11 

12 

180 

10 

l 

9 

260 

14 

1 

11 

2 

462 

62 

1 

17 

6 

30 

6 

1560 

AGING 

04 

3 

17 

6 

30 

a 

VJB 

105 

7 

5 

10 

4 

24 

7 

39 

9 

1000 

157 

12 

1 

9 

1 

10 

5 

5 

26 

12 

50 

17 

VIB 

178 

17 

2 

1 

10 

1 

24 

5 

3 

26 

12 

52 

20 

1500 

199 

20 

2 

2 

U 

2 

26 

5 

3 

27 

14 

58 

24 

V3B 

215 

22 

3 

3 

12 

3 

26 

6 

6 

28 

14 

63 

27 

2000 

221 

22 

4 

3 

14 

3 

26 

6 

8 

28 

15 

64 

28 

(A) 


(B) 


282 


283 


EXPERIMENTAL  EVALUATION  OF  PREDICTIONS  OF 
PROBABLE  CIRCUIT  PERFORMANCE 


M.  A.  Young 

International  Business  Machines  Corporation 
Space  Guidance  Center 
Owego,  New  York 


Introduction 

The  satisfactory  performance  of  a circuit  is 
usually  specified  in  terms  of  a range  of  acceptance 
values  for  one  or  more  output  parameters,  such  as 
voltage  level,  load  current,  or  frequency  response. 
Circuit  malfunction  occurs  if  a parameter  value 
falls  outside  these  failure  limits.  Such  a parameter 
value  may  be  due  to  a catastrophic  failure  of  a 
component  part  or  to  degradation  of  component 
part  parameters  with  age. 

Consider,  now,  the  matter  of  predicting  the 
reliability  of  circuits  during  the  design  phase  of  a 
development  program.  Reliability  engineers  have 
concentrated  their  attention  mainly  on  predicting 
reliability  based  on  catastrophic  component  part 
failure.  At  the  same  time,  there  has  been  an 
awareness  of  the  circuit  degradation  question,  and 
considerable  literature  now  exists  on  the  theory 

of  predicting  probable  circuit  performance. 3, 4 

More  difficult  to  find  are  published  experimental 
results  showing  the  practicality  of  these  tech- 
niques. 

Predictions  of  probable  circuit  performance 
appeal  to  those  factors  in  a circuit  design  which 
are  of  direct  concern  to  the  designer.  These  pre- 
dictions take  into  account  the  particular  design 
configuration  and  the  interaction  of  part  param- 
eters on  operating  points,  plus  the  effects  of  part 
parameter  drift  and  their  joint  probabilities  of 
occurance. 

This  paper  reports  the  results^  obtained  when 
six  digital  computer  switching  circuits  were 
analyzed  for  probable  performance  at  2000  hours 
life,  compared  with  measured  performance  at 
about  the  same  age  based  on  a controlled  life  test 
of  circuit  samples.  Three  of  the  more  common 
techniques  covered  in  the  literature  are  applied: 
the  Combination  method,*  the  Monte  Carlo 
method  (synthetic  sampling),  and  regression 
analysis. 


* designating  the  analytical  combination- of  - 

distributions  for  functions  of  random  variables. 


Prediction  of  Probable  Circuit  Performance 
Circuit  Failure  Characteristics 

At  some  risk  of  over  simplification,  it  can 
be  said  that  circuit  failures  are  the  result  of  one 
of  two  possible  events:  (a)  catastrophic  com- 
ponent part  failure,  which  causes  circuit  failure 
in  nearly  all  cases;  or  (b)  component  part  parameter 
degradation,  which  may  result  in  out- of -specifi- 
cation drift  of  a circuit  output  parameter  even 
though  no  part  has  failed  catastrophically.  The 
distinction  between  these  two  general  types  of 
circuit  failure  is  not  always  clear  in  practice. 
However,  catastrophic  failure  in  a component 
part  is  usually  described  as  an  extreme  excursion 
of  a parameter  within  a short  time  interval,  re- 
sulting in  severe  impairment  of  the  partTs  nor- 
mal function.  Circuit  drift  failure  may  be  defined 
as  any  crossing  of  a failure  boundry  by  an  output 
parameter,  with  all  component  parts  functioning, 
but  with  one  or  more  part  parameters  exceeding 
initial  specification  limits.* 

Circuit  Degradation  Failure  Model 

A performance  characteristic  of  a particular 
circuit  - for  example,  the  steady- state  output 
voltage  - is  a function  of  several  component  part 
parameters  whose  exact  values  for  any  single 
circuit  are  unknown.  It  will  be  assumed  that  a 
large  number  of  this  circuit  is  to  be  assembled 
and  operated  in  identical  fashion.  The  output 
parameter  is  treated  as  a random  variable,  Y, 
with  continuous  distribution  function, 

Fy(y)  = P {y  < y} , (1) 

in  which 

y is  a particular  value  of  the  parameter,  and 

Fy  (y)  is  the  probability  that  a circuit  with 

parameter  value  y or  less  will  occur. 


* this  definition  assumes  that  no  combination  of 
acceptable  initial  parts  will  be  assembled  into 
a circuit  having  unacceptable  output  parameters 
at  time  zero. 


285 


As  circuits  are  operated  and  begin  to  "age”, 
the  component  part  parameters  undergo  changes 
in  value,  causing  the  total  population  to  change  in 
some  manner.  Therefore,  Yt  denotes  a random 
variable  defined  at  some  time,  ”t"  hours,  and  the 
distribution  function  becomes, 

Fyt(y)  = P {Yt<  y}  . (2) 

The  methods  ol  analysis  used  in  this  study 
require  that  the  drift  (or  degradation)  of  individual 
component  part  parameters  with  time  be  approxi- 
mately nondecr easing  or  nonincr easing  over  the 
time  period  of  interest.  Also  excluded  are  inter  - 
mittent  and  catastrophic  part  parameter  failures. 


Recalling  that  satisfactory  circuit  opera- 
tion is  defined  in  terms  of  failure  limits  on  "y”, 
the  probability  of  satisfactory  performance  of 
this  parameter  at  time  ”t",  considering  only 
drift,  is, 


P 


"y"  gives  \ 
satisfactory  j 
performance  J 
^at  "t"hours j 


■l-p{Yt<yi}  - 
[l-p{Yt<y2}] 


= FYt(y2)-FYt(yi), 


in  which 


(3) 


is  the  lower-valued  failure  limit  and 

is  the  higher -valued  failure  limit  on 
output  parameter  "y".  * 

In  this  paper,  attention  is  focused  upon 
evaluating  how  well  a predicted  distribution 
function  agrees  with  the  observed  (measured) 
distribution  of  an  individual  output  parameter. 
The  foregoing  discussion  brings  out  the  fact  that 
predicting  distribution  functions  of  circuit  output 
parameters  is  certainly  basic  to  predicting  over- 
all circuit  drift  reliability.  A complete  predic- 
tion of  circuit  reliability  would  utilize  these 
parameter  distributions  to  obtain  a total  proba- 
bility of  drift  failure,  which  might  reasonably  be 
assumed  to  be  an  event  mutually  exclusive  from 
catastrophic  circuit  failure.  Derivation  of  total 
drift  failure  pro  ability  must  consider  whether 
independence  between  output  parameters  exists 
(it  probably  does  not). 

* assuming  Fy^^)  * Fy  (y^)  = i,in  agreement 

with  the  definition  of  circuit  drift  failure 
stated  previously. 


Estimating  Circuit  Distribution  Functions 

An  estimate  of  the  distribution  function  of  a 
circuit  output  parameter  at  various  ages  may  be 
obtained  by  fabricating  a number  of  circuits  and 
operating  them  for  the  required  time,  during 
which  the  performance  of  circuits  is  periodically 
measured.  This  method,  commonly  called  a 
’life  test”,  provides  a direct,  statistical  estimate 
of  the  distribution  Fy^y).  However,  this  method 
is  time  consuming  and  relatively  expensive. 

Analytical  prediction  methods  are  based  on 
the  use  of  test-derived  statistical  estimates  of 
component  part  parameter  distributions,  which 
are  combined  to  yield  a circuit  distribution 
function.  A circuit  output  parameter  may  be 
expressed  as  some  function  of  the  part  parameter 
values, 


y = y (x^Xg,.. . ,x.,.. . ,3^)  = 

y(V  (4) 

in  which  the  are  assumed  to  be  ,TnH  inde- 
pendent component  part  parameters,  each  having 
a continuous  distribution  function,  at  time  "t", 

Fxi)t(xi)  = P {Xi)t<  xj  . (5) 

Estimates  of  part  parameter  distributions  are 
derived  from  aging  tests  performed  either  by  the 
part  manufacturer  or  by  the  equipment  developer, 
in  the  early  phases  of  a project.  These  tests  are 
generally  less  expensive  than  circuit  life  tests, 
and  they  may  be  applicable  to  many  circuits  using 
the  same  types  of  component  parts.  Depending 
on  the  application,  it  may  also  be  possible  to 
estimate  Fx*  t(xi)  from  previous  tests  of  similar 
component  pan:  types. 

Deriving  Fyt(y)  from  the  various  FXj  t(xi )'s 
requires  that  be  analyzed  as  a joint  probability 
function  of  all  t)’s  for  any  "y"  value.  5 The 
general  analytical  solution  in  the  continuous  case 
proceeds  as  follows: 

a.  equation  (4)  is  solved  for  some  Xj, 
for  example  Xj,  to  give  the  new 
function, 

H = h (y,  X2,x3j.  ..  ,xn); 

b.  the  probability  density  function  of 

"y’\  fyt(y)  = FYt(y) 

is  then, 


286 


fYt(y)  / / ' /-^■t[h(y>  X2>X3>- ’ *>  x*>] 

x2  x3  xn 

d FX2j  d fX3)  t(x3^-  • ‘ d FXn;t^xn^; 

(6) 

the  solution  of  which  can  be  used  to  obtain  Fy^y) 
for  any  "y".  In  (6)  the  notation  on  integration 
limits  means  that  they  are  carried  out  over  all 
values  of  the  "x|". 

Combination  Method 

In  practice  it  rarely  is  feasible  to  obtain  an 
exact  analytical  solution  due  to  the  difficulty  in 
solving  (6),  for  all  but  the  simplest  forms  of 
y (x^);  and  then  only  for  restricted  forms  of 
Fxi?t(xi)rs‘  For  sample,  if  y(xn)  is  of  the  form, 

y = +x2  (7) 

an  algebraic  solution  exists  if  both  Xi  and  X2  are 
distributed  N : (^u,x,  crx 2)>  a "Normal"  distri- 
bution with  mean,  ^Lx,  and  variance,  cr x , given 

by, 


Fx'(  x)  = 'J 2 tt  crxeXP 


1 /x  '^xf 


2 V^X 


(8) 


2 

In  this  special  case,  Fy(y)  is  also  N : (^y?  cry  ), 
with  parameters  given  by, 


H-Y  ~ MXi  + MX2’ 

(9) 

=y°-Xl2  + aX2 

(10) 

Approximate  forms  of  Fy^(y)  can  often  be 
obtained  using  the  combination  method  by  simplifi- 
cation of  y(xn).  For  example,  part  parameters 
with  small  variance,  and  those  having  little 
effect  on  My1f,  may  be  assumed  to  be  constant 
far  a given  r,t11.  The  remaining  variables  must 
be  assumed  to  be  approximately  Normal.  In 
some  cases,  these  may  be  transformed  to  some 
new  random  variable  which  is  approximately 
Normal.  Approximate  solutions  are  given  in 
Reference  5,  for  product  and  quotient  functions 
of  random  variables. 

Monte  Carlo  Solutions 


FXi  ^ (Xj),  have  been  estimated  from  tests,  it  is 
possible  to  randomly  sample  values  of  each 
with  the  prescribed  probability  that  any  par- 
ticular jth  variate,  (x^j,  will  be  selected  in  a 
large  number  of  trials.  A digital  computer  may 
be  programmed  to  perform  the  selections,  and 
provide  solutions  of  y (xn).  ® It  is  not  necessary 
(although  it  is  possible)  to  identify  the  part 
parameter  distributions  as  being  a specific  type, 
such  as  Normal,  since  the  computer  program 
samples  from  a reconstructed  form  of  the 
observed  distribution,  regardless  of  its  shape. 

Each  trial  consists  of  randomly  selecting 
a single  complete  set  of  "x."  values,  denoted 
(xr)  j for  the  jth  trial.  The  circuit  equation  is 
then  solved  for  this  set. 


yj  = y (xn)j  . (ii) 

A large  number  of  trials  are  performed, 
from  which  a set  of  circuit  output  values  are 
accumulated,  y = (yj,  y2,  yj,  . ..Ym). 

Within  this  set  of  values,  particular  values  of 
"yf1  occur  with  approximately  the  same  frequency 
as  would  be  predicted  by  an  analytical  solution  of 
equation  (6)-  This  is. 


Fyt(y)« 


(number  of  solutions , y j < y) 

M (12) 


for  large  M.  Note  also  that  complex  forms  of 
y(x  ) constitute  a lesser  problem,  since 
numerical  computer  solutions  are  usually  feasible. 

Circuit  Equations 

Some  choice  also  exists  in  deriving  a circuit 
equation,  y = y(xn),  A conventional  method  is  to 
apply  linear  circuit  theory,  approximating  non- 
linear parameter  functions  where  necessary.  A 
second  method  is  to  derive  an  empirical  equation 
using  regression  analysis,  or  the  ” least  square" 
technique,  which  requires  that  several  circuits 
be  assembled  from  "tagged1'  component  parts 
whose  parameters  have  been  measured  and  re- 
corded. Circuit  output  values  are  then  measured, 
making  it  possible  to  relate  an  output  value,  y, 
to  the  several  (independent)  component  part 
parameter  values,  x^,  by  some  general  expression, 

y = g1(x1)  + g2(x2)  + ■ *•  + gi(xi)  + 


■ ••  + + e (13) 


A second  method  of  solution  which  avoids  the 
difficulties  in  (6)  is  the  use  of  synthetic  sampling, 
or  the  Monte  Carlo  method.  Since  all  distributions 


in  which  11  €”  is  a particular  value  of  a new 
random  variable,  "Ert,  having  aero  mean. 

" € " represents  an  error  term  not  explained 


287 


by  the  regression.  Again,  in  practice  it 
will  hopefully  be  possible  to  explain 
most  of  the  variation  in  "y"  using  only  one  or  two 
g^xj)  functions,  of  relatively  simple  form  such 
as, 

Bi(xi)  = <*i  + fii  Xj,  (14) 

in  which  0^  and  are  constants  estimated  by 
the  least- squares  method.  Assuming  the  empirical 
constants  remain  valid  as  circuits  age,  a pre- 
diction of  Fyt  (y)  can  then  be  made  using  either  the 
algebraic  method  or  the  Monte  Carlo  method. 

Several  circuit  equations  may  be  required  if 
a circuit  operates  in  more  than  one  distinct 
"mode”.  For  example,  in  the  switching  circuits 
included  in  this  study,  two  steady-state  conditions 
were  of  interest,  since  satisfactory  performance 
depends  on  both  the  UP- level  and  DOWN- level 
circuit  outputs. 

Component  Part  Parameter  Distribution 
Estimates 

Estimates  of  component  part  parameter  dis- 
tributions for  this  study  were  obtained  from  life 
tests  during  which  circuit  electrical  load  and 
ambient  temperature  were  simulated.  Typical 
test  duration  was  about  2000  hours,  and  the  most 
common  sample  size  for  component  parts  was 
about  50,  Data  reduction  followed  conventional 
statistical  methods,  and  an  effort  was  made  to 
establish  the  type  of  distribution  which  best  fitted 
the  sample  data  and  at  the  same  time  was  reason- 
able in  view  of  physical  considerations.  Establish- 
ing types  of  distributions  and  their  parameters  is 
primarily  of  concern  to  the  Combination  method  of 
analysis.  When  the  Monte  Carlo  analysis  method 
is  used,  it  is  only  necessary  to  determine  several 
points  on  the  sample  frequency  histogram,  to 
which  the  computer  program*5  then  "fits"  an 
empirical  distribution  function.  In  the  Combination 
method,  use  is  made  of  the  first  two  moments 
(the  mean  and  the  variance)  of  the  sample  param- 
eter measurements.  These  completely  describe 
the  distribution,  assuming  that  the  population  dis- 
tribution is  approximately  Normal.  If  a frequency 
histogram  is  skewed  noticeably  positive,  a con- 
version to  a Normal  distribution  can  sometimes 
be  made  by  a logarithmic  transformation. 

One  of  the  largest  single  problems  faced  in 
obtaining  valid  estimates  of  part  parameter  dis- 
tributions for  this  study  was  created  by  the  well- 
known  dependence  of  semiconductor  parameters 
on  test  measurement  conditions,  such  as  temper- 
ature and  operating  point,  or  "bias".  Since  it 
was  necessary  to  use  existing  part  test  data,  no 
choice  could  be  exercised  in  selecting  measure- 


ment conditions,  and  the  best  alternative  was  to 
interpolate  to  the  proper  operating  point.  When 
test  measurements  were  available  for  more  than 
one  operating  point,  this  interpolation  was  not  too 
risky.  Manufacturer's  specification  sheets  were 
frequently  useful,  in  this  connection,  since  these 
usually  show  graphs  of  "typical"  device  parameters 
as  a function  of  operating  point,  based  on  ac- 
cumulated experience.  These  "typical"  curves 
can  be  assumed  to  describe  the  translation  of  a 
part  parameter  mean  value,  when  dealing  with  a 
complete  distribution  function,  which  implies  that 
the  entire  parameter  distribution  is  shifted  to  the 
new  point.  This  brings  up  a final  point  concern- 
ing parameter  distribution  estimates,  related  to 
operating  point.  The  true  operating  point  of  any 
component  may  be  partly  determined  by  the  values 
of  other  random  variables  in  the  circuit,  thus 
violating  the  assumption  of  independence  between 
part  parameters.  If  the  dependence  is  strong,  it 
may  be  necessary  to  write  this  relationship  into 
the  circuit  equation,  y ;(xB),  as  was  done  in 
several  cases  in  this  study. 

Results  Of  Predictions  Of  Distribution 
Functions 

Description  of  Study  Circuits  and  Predictions 

The  circuits  employed  in  the  study  comprised 
three  active  and  three  passive  configurations, 
varying  in  complexity  from  five  to  nine  com- 
ponent parts.  The  three  passive  circuits  were  an 
OR- gate  switching  network,  and  two  AND- gate 
networks  of  slightly  different  design.  The  active 
circuits  were  an  Emitter- follower,  plus  a 
saturating  Inverter  and  a nonsaturating  Inverter 
of  different  configurations.  Each  active  circuit 
employed  a single  transistor  of  different  type. 

For  each  circuit,  an  equation  was  derived 
for  two  output  parameters.  These  were  the 
steady- state  output  UP- level  and  DOWN-level 
voltages,  except  for  the  nonsaturating  Inverter, 
in  which  case  a regression  equation  was  derived 
for  the  two  transient  response  terms,  Fall  Time 
and  Fall  Delay  Time  of  the  output  voltage  pulse. 

Description  of  Circuit  Tests 

The  circuit  tests,  with  which  predictions 
are  compared,  were  performed  on  sample  sizes 
of  24  to  152  circuits,  at  temperatures  simulating 
the  expected  application  and  with  fixed  electrical 
loads.  These  tests  were  carried  out  over  a 
period  of  several  years,  in  connection  with  three 
different  development  programs,  with  various  test 
objectives,  test  controls,  and  measurement 
techniques.  Again,  as  with  the  component  part 
tests  utilized  herein,  these  tests  are  not  con- 


288 


sidered  optimum  for  the  purposes  of  this 
study. 

The  question  of  error  sources  in  measure- 
ments was  considered,  in  comparing  observed 
and  predicted  distribution  functions.  Estimates 
were  made  of  the  possible  bias  error  in  readings, 
and  the  sampling  error  in  the  mean  value  of  read- 
ings which  arises  from  the  statistically- small 
circuit  sample  sizes.  Both  of  these  are  illustrated 
below. 

Examples  of  Results 


Figure  3 shows  the  best  result  obtained, 
which  illustrates  the  sort  of  correlation  which  can 
be  obtained  between  observed  and  predicted 
distributions  when  both  the  predicted  and  measured, 
variables  are  under  good  control.  In  this  example, 
test  measurement  controls  were  known  to  be 
exceptionally  good,  and  valid  part  parameter  data 
were  available.  The  difference  between  the  Com- 
bination and  Monte  Carlo  predictions  in  this  case 
is  believed  to  be  essentially  due  to  the  fact  that  a 
more  exact  circuit  equation  could  be  used  with 
Monte  Carlo  analysis,  and  that  the  part  parameter 
distributions  were  more  accurate. 


Figure  1 illustrates  a typical  result  of  the 
cumulative  probability  polygons  (distribution 
functions)  of  the  observed  circuit  test  results 
compared  with  predicted  results  by  two  methods  - 
the  Combination  and  the  Monte  Carlo  analyses.  In 
general  these  two  methods  yielded  similar  pre- 
dicted distributions,  especially  for  the  less  com- 
plex passive  circuits.  When  any  appreciable 
difference  existed,  the  Monte  Carlo  prediction 
was  usually  closer  to  the  observed  result.  Another 
general  tendancy  noted  in  comparing  predicted 
and  observed  distributions  was  that  the  observa- 
tions had  greater  variance.  Estimates  of  the 
possible  reading  variance  introduced  by  zero- 
mean  measurement  error  sources,  such  as  in- 
strument interpolation,  parallax,  and  scale 
(electrical)  errors,  showed  that  the  excess 
variance  could  have  been  introduced  by  these 
sources. 


Figure  4 is  included  to  illustrate  results 
obtained  using  a regression  equation,  and  the 
Combination  method  of  analysis.  The  circuit  out- 
put parameter  in  this  case  was  Fall  Delay  Time, 
a component  of  the  transient  response  of  the 
circuit.  The  regression  equation  used  was  of  the 
form,  a 


LDF 


a 


£ 


w, 


(15) 


in  which, 

A A 

a and  p are  least- squares  constants 
derived  from  test  measurements,  and 


W = 


HFE  fHFE 


the  inverse  product  of  the  base- collector  D.  C. 
gain  and  the  cut-off  frequency  of  this  gain  para- 
meter for  the  transistor. 


The  possible  bias  (calibration)  error  was 
estimated  to  be  about  1 1/2%  of  the  mean  voltage 
level  with  the  test  set-up  used.  This  error  source 
could  contribute  to  a general  shift  of  the  observed 
distribution  in  one  direction,  for  a given  set  of 
readings.  Since  a statistically  small  sample  of 
each  circuit  was  tested,  the  representativeness 
of  a sample  must  be  considered  in  its  effect  on 
the  mean  value  of  observed  readings.  The  95% 
confidence  interval  about  the  observed  mean  helps 
to  indicate  the  magnitude  of  the  effect  this  un- 
certainty causes. 

Figure  2 illustrates  the  greatest  difference 
that  resulted  between  observed  and  predicted 
distributions  among  all  circuits,  an  example  which 
shows  the  necessity  for  obtaining  component  part 
parameter  distributions  at  the  correct  operating 
(bias)  point.  This  particular  prediction  turned 
out  to  be  primarily  a function  of  the  transistor 
saturation  voltage,  measurements  of  which  were 
taken  at  ffworst  case"  conditions  during  part  tests. 
Attempts  were  made  to  scale  the  observed  dis- 
tribution to  the  proper  conditions,  but  with  less 
than  complete  success,  as  can  be  seen. 


Table  I summarizes  the  over- all  results  of 
all  predictions,  in  terms  of  maximum  percentage 
difference  between  any  predicted  distribution  and 
the  observed  distribution  of  the  parameter  from 
tests.  The  comparisons  are  made  at  the  mean 
value  of  the  observed  parameter  distribution,  and 
at  the  approximate  plus  ((pr  minus)  one  standard 
deviation  point,  whichever  was  most  in  error. 
Twenty  out  of  these  twenty-four  comparison 
points  show  a percentage  difference  of  5%  or  less, 
with  a maximum  percentage  difference  of  12%  in 
two  instances.  The  latter  result  is  illustrated 
in  figure  2. 

Conclusions  And  Recommendations 

The  results  of  the  study  show  that  an  analysis 
of  probable  circuit  performance  can  produce  use- 
ful and  accurate  estimates  of  the  expected  dis- 
tribution of  circuit  output  parameters  during 
operating  life,  given  that  valid  estimates  of  com- 
ponent part  parameter  distributions  are  employed. 
Therefore,  some  of  the  same  objectives  as  those 
of  a circuit  life  test  may  be  accomplished,  with 
comparable  accuracy,  using  various  analytical 


289 


methods.  The  potential  of  these  techniques  for 
performing  a design  review  during  synthesis  of 
design  is  evident. 

The  ability  to  estimate  distribution  functions 
of  a circuit  output  parameter  by  analytical  means 
has  been  established  under  life  test  conditions. 
Whether  or  not  such  estimates  can  be  used  to  de- 
termine the  expected  drift  reliability  of  circuits 
under  field  operating  conditions  is  unknown.  How- 
ever, for  certain  applications,  such  as  satellite 
and  space  missions  of  long  duration,  during  which 
environmental  stress  may  approximate  constant 
temperature  life  test  conditions,  the  analytical 
results  may  well  furnish  the  means  for  estimating 
drift  malfunction  probability.  Under  more  com- 
plex conditions,  the  ability  of  the  Monte  Carlo 
method  to  handle  comprehensive  circuit  equations 
suggests  that,  for  operational  predictions,  input, 
load,  failure  limits,  and  temperature  may  be 
written  into  circuit  equations  and  treated  as 
additional  functions  of  random  variables  with 
estimated  distribution. 

The  three  analysis  techniques  employed  allow 
certain  conclusions  to  be  drawn  about  relative 
accuracy,  ease  of  use,  etc.  It  was  concluded 
that  each  method  may  enjoy  advantages  in  certain 
applications.  The  Monte  Carlo  method  possesses 
over- all  advantages  which  make  it  the  most  attrac- 
tive  for  general  applications.  Outstanding  among 
these  advantages  are: 

• A comprehensive  circuit  equation  may 
be  used,  the  starting  point  for  which 
may  be  conventional  circuit  equations. 

• No  practical  restrictions  exist  on  the 
type  of  circuit  equations,  the  numbers  of 
variables,  or  the  type  of  distribution 
functions  used, 

• Evaluation  of  several  failure  sources 
may  be  readily  performed  in  a single 
analysis. 

• Reanalysis  is  simplified,  for  example, 

if  component  part  values  or  distributions 
are  changed 

• Accuracy  is  generally  better. 

Disadvantages  which  may  be  important  in 
some  instances  are: 

• A medium-  to- large  capacity  computer  is 
required  for  analysis, 

• Computer  programing  is  required,  a step 
which  usually  means  the  designer  cannot 
perform  the  entire  analysis  himself. 


The  Combination  method  proved  to  be 
relatively  easy  to  use  after  circuit  equations  were 
simplified.  It  provided  quicker  results  than  the 
Monte  Carlo  method  and,  for  the  simple  passive 
circuits  (AND,  OR  gates),  results  were  of  com- 
parable accuracy  in  most  cases.  Where  differences 
were  noted,  however,  the  Monte  Carlo  results 
were  closer  to  the  measured  circuit  distributions. 
The  disadvantages  of  the  combination  method  were 
noted  as: 

» The  required  simplification  of  defining 
equations  may  result  in  noticeable  loss 
of  accuracy. 

• The  method  is  restricted  in  both 
number  of  variables  and  type  of  part 
parameter  distributions  which  can  be 
handled. 

The  regression  method  produced  good  re- 
sults for  the  analysis  of  two  transient  terms  which 
contribute  to  circuit  response  time.  The  method 
appears  to  have  special  application  when  defining 
equations  are  not  easily  obtained  from  a circuit 
analysis  or  when  circuit  equations  cannot  be 
written  in  terms  of  the  distributed  parameters 
which  are  commonly  measured  for  component 
parts.  It  should  not  be  compared  directly  with 
either  of  the  previous  methods  for  these  reasons. 

In  the  regression  applications  in  this  study,  analy- 
sis gave  adequate  results  when  using  the  Combi- 
nation method.  In  more  complex  applications  the 
use  of  a Monte  Carlo  analysis  of  the  regression 
equation  should  not  be  overlooked.  Two  dis- 
advantages of  the  method  are  as  follows: 

1.  fabrication  and  measurement  of  a 
sample  of  circuit  outputs  and  corre- 
sponding part  parameters  is  required 
to  develop  the  regression  relationships; 

2.  considerable  effort  may  be  necessary 
to  determine  the  important  part  param- 
eters to  include  in  an  analysis  and  to 
develop  useful  relationships  with  the 
output  parameter. 

Experience  with  the  reduction  of  component 
part  test  data  to  estimate  distributions  for  part 
parameters  indicated  that  acquisition  of  good  data 
is  a major  problem  even  with  large  available 
quantities  of  data.  Test  design  for  component  parts 
was  in  conformance  with  the  circuit  design  philoso- 
phy, resulting  in  most  test  measurements  being 
taken  at  "worst  case"  limits  for  circuit  appli- 
cations. Resultant  distribution  estimates  were 
not  valid  in  most  cases  for  predictions  of  circuit 
life  test  performance.  Attempts  to  adjust  dis- 
tributions to  other  conditions  were  reasonably 


290 


successful,  judged  by  over -all  results.  It 
should  be  possible  to  avoid  much  of  this  problem, 
if  probabilistic  analyses  of  circuits  are  antici- 
pated prior  to  design  of  part  tests.  Approximate 
distributions,  obtained  by  adjustment  for  im- 
proper measurement  conditions,  offer  an 
alternative  which  should  be  investigated  for 
specific  applications. 


Acknowledgments 

The  author  expresses  appreciation  to 
Messrs.  J.  E.  Anderson,  T.  L.  Burnett,  and 
E.  A.  Reeve  for  helpful  suggestions  in  the  course 
of  the  study  on  which  this  paper  is  based.  The 
study  was  performed  under  Contract  AF30(602)- 
2418.  Air  Research  and  Development  Command, 
Rome  Air  Development  Center,  Griffis  Air  Force 
Base,  New  York,  and  Advanced  Research  Projects 
Agency  Order  No.  168-61,  Washington  25,  D.  C. 


References 

1.  Hellerman,  L.  and  Racite,  M.  P. , "Reliability 
Techniques  for  Electronic  Circuit  Design", 
IRE  Trans,  on  Reliability  and  Quality  Control, 
Vol.  14,  pp  9-16;  September  1958. 


2.  Nussbaum,  E. , Irland,  E.  A. , and  Young,  C.  E. , 
"Statistical  Analysis  of  Logic  Circuit  Per- 
formance in  Digital  Systems",  Proc.  IRE,  Vol. 
49,  no.  l,pp  2 36 -2 44; January  1961. 

3.  Brown  H. , Marini,  H. , and  Williams,  R. , 
"Evaluation  and  Prediction  of  Circuit  Per- 
formance by  Statistical  Techniques”,  ARINC 
Monograph  #5,  ARINC  Research  Corp.; 

February  1958. 

4.  Anderson,  J.  E. , "Predicting  Drift  Reliability 
of  Digital  Circuits",  Proc.  6th  Joint  Military - 
Industry  Guided  Missile  Reliability  Symposium, 
15-17  February,  1960. 

5.  Wilkinson,  R.  I.  ,"The  Combination  of  Proba- 
bility Curves  in  Engineering",  Trans.  Amer. 

Inst.  Elec.  Engineers,  Vol.  61,  pp 953-963; 
December,  1942. 

6.  Doxtator,  R.  H.  and  Arnold,  F. , "PRESS:  An 
IBM  704  Program  for  Performance  and  Re- 
liability Evaluation  by  Synthetic  Sampling", 

IBM  Technical  Report  TR01. 01. 112.  602, 

IBM,  Endicott,  N.  Y. ; December  1959. 

7.  Final  Report  on  Prediction  of  Circuit  Drift 
Malfunctions  of  Satellite  Systems,  ARP  A 
168-61,  Contract  AF30{602)-2418,  (Unclassified) . 
IBM  No. : 61-928-28;  November  1961. 


291 


Table  I 


MAXIMUM  ERROR  IN  OUTPUT  PREDICTED  BY  ANY  METHOD,  AS 
PERCENTAGE  OF  OBSERVED  VALUE  AT  THAT  POINT 


Circuit 

At  mean  value 

At  plus  or  minus 
one  sigma  point 

AND-Gate  (#1)  UP-level 

less  than  1% 

less  than  1% 

DOWN-level 

less  than  1% 

3% 

AND-Gate  (#2)  UP-level 

less  than  1% 

less  than  1% 

DOWN-level 

less  than  1% 

5% 

OR-Gate  UP-level 

less  than  1% 

less  than  1% 

DOWN-level 

2% 

3% 

Emitter-Follower  UP-level 

less  than  1% 

less  than  1% 

DOWN-level 

4% 

9% 

Inverter,  Saturating  UP-level 

12% 

12% 

DOWN-level 

less  than  1% 

less  than  1% 

Inverter,  Non- saturating  Tp 

2% 

8% 

tDF 

less  than  1% 

5% 

292 


CUMULATIVE  PROBABILITY  SCALE 


WORST  RESULTS 


Figure  2.  Saturating  Inverter  Circuit  UP-level  Cumulative  Probability  Polygons 


CUMULATIVE  PROBABILITY  SCALE 


BEST  RESULTS 


Figure  3.  Saturating  Inverter  Circuit  DOWN-level  Cumulative  Probability  Polygons 


295 


CUMULATIVE  PROBABILITY  SCALE 


Figure  4.  Non-Saturating  Inverter  Circuit,  Fall  Delay  Time  (Tdf)  Cumulative 

Probability  Polygons 

296 


THE  SPECIFICATION  AND  ASSURANCE 
OF  LARGE  KTBF'S 

TYPICAL  OF  SPACECRAFT  ELECTRONIC  EQUIPMENTS 

Clifford  C#  Petersen 
Motorola  Inc. 

Military  Electronics  Division 
Western  Center 
Scottsdale , Arizona 


Statement  of  the  Problem 

While  this  paper  may  be  regarded,  in  a 
sense,  as  an  open  letter  to  systems  managers 
from  one  of  the  many  suppliers  of  electronic 
equipments  for  spacecraft,  the  topic  is  of  wide 
interest#  The  aerospace  industry  is  confronted 
more  and  more  frequently  with  the  following 
question  related  to  complex  equipments  of  the 
type  normally  procured  in  small  quantity  for  use 
in  spacecraft  systems ; the  question  is:  “How  is 

reliability  best  specified  and  assured?” 

Assurance 

We  must  deal  with  the  question  of  assurance 
before  that  of  the  specification  of  reliability 
because  the  latter  will  reflect  the  amount  of 
assurance  that  is  wanted-  There  is  little  doubt 
that  assurance  is  needed,  since  it  is  the 
logical  basis  for  making  many  decisions  in  the 
genesis  of  a space  system#  Without  assurance 
we  are  forced  into  decisions  based  on  hope  or 
judgment#  The  Department  of  Defense  is  talking 
loud  and  clear  about  incentive  plans  for  relia- 
bility#! Certain  Congressmen  are  speaking  of 
having  manufacturers  post  bonds  which  would  be 
forfeited  if  their  equipment  failed  during 
countdown  or  in  space  operations. 2 Many  manu- 
facturers have  had  experience  with  costly  modi- 
fication programs  to  correct  unreliability. 

From  these  facts  it  is  clear  that  assurance  is 
needed  by  both  the  manufacturer  and  the 
customer.  However,  assurance  must  be  timely, 
available  in  sufficient  degree  at  the  time 
decisions  are  to  be  made#  There  is  no  justifi- 
cation for  spending  funds  for  assurance  intended 
merely  to  give  an  after-the-fact  sense  of 
satisfaction# 

There  are  many  ways  of  assuring  that  an 
equipment  is,  or  will  be,  reliable#  They  differ 
in  degree  as  well  as  in  technique  and  are  fully 
explored  in  the  literature  of  the  day.  They 
include  implicit  confidence  in  predictive  esti- 
mates based  on  part  counts,  trust  in  the 
implementation  and  surveillance  of  special 
design  and  manufacturing  practices,  reliance  on 
product  improvement  achieved  by  overs tress 
testing  to  failure,  and  the  demonstration  of 
mean  time  between  failures  by  life  test*  These 
techniques  are  used  singly  or  in  combination  to 
create  confidence  at  a time  prior  to  actual 
countdown.  The  life  test  technique  usually 
gives  the  most  confidence.  In  spite  of  some 


obvious  problems,  we  believe  demonstration  by 
life  test  should  be  a mandatory  technique  for 
generating  assurance,  even  for  large  mean  times 
between  failure. 

Demonstrated  Assurance 

The  MTBF!s  required  of  spacecraft  equip- 
ments usually  are  large#  Requirements  we 
encountered  a year  or  two  ago  were  stated  in 
terms  such  as  90  per  cent  reliability  for  a 
one -year  mission  for  equipments  intended  for 
Advent,  0A0,  and  GGO.  More  recently  we  have 
bid  on  equipment  having  reliability  require- 
ments stated  in  terms  of  large  MTBF!s.  Typical 
are: 

Deep  Space  Communications  System  for  Apollo  - 
5,200  hrs,  design  goal 

Minitrack  Beacon  for  Apollo  - 

16,750  hrs,  design  goal;  (8820  hrs  of 
test  experience,  no  failures) 

S-Band  Beacon  - 

5.000  hrs,  requirement;  15,000  hrs, 

design  goal 

Data  Reception  System  for  Gemini  - 

16,800  hrs,  requirement;  requires  test  of  3 
systems  for  16,800  accumulated 
equipment  hours# 

Radar  Set  for  Space  Seeker  Satellite  - 

10.000  hrs,  requirement. 

When  we  think  of  accumulating  many  equip- 
ment-years of  controlled  life  test  data  in 
order  to  demonstrate  MTBF*  s like  these  with 
high  confidence  we  are  shocked.  Usual 
scheduling  practices  are  such  that  there  is  too 
little  time  before  expiration  of  contracts  to 
perform  such  demonstrations.  New  developments 
typically  run  a year  or  two  and  modifications 
of  present  devices  are  usually  wanted  in  less 
than  one  year.  Also  the  present  state  of  the 
art  of  accelerated  test  techniques  is  too  un- 
developed to  alleviate  the  situation.  We  will 
now  suggest  several  means  of  mitigating  this 
problem. 

Making  Demonstration  Possible 

One  possible  way  to  gain  time  for  lengthy 
demonstration  is  to  extend  the  contract  given 


297 


to  the  equipment  developer  to  a time  beyond  the 
delivery  dates  of  deliverable  items,  and  make  it 
extend  to  t hu  latest  possible  time  when  a firm 
reliability  assessment  is  required.  This  would 
penult  the  longest  possible  duration  of  relia- 
bility demonstration  tests.  It  also  assumes 
that  the  information  will  be  useful  in  decision- 
making after  delivery  of  equipments*  We  believe 
that  it  is  not  too  late  to  apply  demonstrated 
results  to  decision-making  up  to  the  time  of 
blastoff,  whether  these  be  decisions  regarding 
launch  operations,  modifications,  or  contract 
incentive  payments. 

Another  means  of  gaining  time  is  to  ask 
that  manufacturers  who  supply  basic  equipments 
with  minor  modifications  show  evidence  of  long 
duration  life  tests  which  they  have  previously 
conducted  on  their  basic  product.  Progressive 
manufacturers  with  so-called  off-the-shelf  items 
should  feel  the  real  need  to  know  the  MTBF  of 
their  equipments  for  their  own  assurance,  as 
well  as  for  improving  their  prospects  of  gaining 
new  contracts.  So  much  time  is  often  spent 
mulling  over  such  a step  that  it  is  well  for 
manufacturers  to  remember  that  a test  never 
started  is  never  finished. 

Yet  another  alternative,  if  time  absolutely 
does  not  permit  demonstrated  assurance  with  a 
high  confidence,  is  to  call  for  the  performance 
of  life  tests  of  whatever  duration  is  feasible, 
even  though  not  long  enough  to  provide  full 
confidence.  Increasing  the  number  of  equipments 
to  more  than  the  few  usually  subjected  to  life 
test  seems  highly  desirable.  Testing  such  in- 
creased quantities  for  one -half , or  one -quarter, 
of  the  mission  time  would  provide  a fair  degree 
of  confidence.  While  such  a test  would  not 
demonstrate  longevity,  it  would  produce  a more 
satisfactory  number  of  equipment -hours  and  would 
permit  surveillance  of  a more  representative 
sample*  To  avoid  life  or  reliability  tests 
entirely  because  a truly  adequate  test  cannot  be 
conducted  would  be  an  error.  Our  experience  has 
shown  that  much  is  revealed  fairly  early  in  an 
equipment  or  system  life  test,  giving  knowledge 
of  a type  not  uncovered  in  typical  equipment 
qualification  tests. 

Specification 

The  specification  and  schedule  should  be 
consistent  with  a course  of  action  selected  from 
the  suggestions  just  presented*  The  schedule, 
should,  insofar  as  practical,  allow  adequate 
time  for  the  discovery  and  correction  of  equip- 
ment design  deficiencies.  The  system  manager, 
in  requiring  a demonstration  by  test  during  the 
course  of  the  contract,  should  specify  the 
duration  of  the  test,  conditions  of  test 
(preferably  selected  from  standard  AGREE  levels), 
the  number  of  equipments  to  be  tested,  and  the 
number  of  allowable  failures.  He  is  in  the  best 
position  to  determine  tradeoff  between  schedule 
and  confidence.  If  he  leaves  the  design  of  the 
demonstration  test  to  the  equipment  supplier. 


bids  will  reflect  various  interpretations  of 
this  costly  task. 

The  specification  should  also  include  other 
often  neglected  means  of  adding  to  reliability 
assurance.  Three  such  means  seem  worthy  of 
discussion. 

Parts  standardisation  should  be  implemented 
on  a systemwide  basis  whenever  possible.  The 
advantages  are  so  tremendous  that  full  consider- 
ation should  be  given  to  requiring  the  use  of 
specific  component  parts  that  have  proven  merit 
or  that  will  be  so  established  in  a coordinated 
test  program.  Reducing  the  variety  of  types, 
values,  and  makes  of  parts  makes  it  possible  to 
conduct  strong  efforts  in  improving  them,  in 
screening  them,  in  de  terming  their  failure 
rates,  and  in  understanding  their  limitations 
and  behavior  as  basic  building  blocks* 
Standardization  is  not  easy.  Equipment  pro- 
ducers have  their  own  preferences,  and  strong, 
early  leadership  must  be  taken  in  such  a 
standardization  effort.  We  have  seen  a few 
such  attempts  fall  on  their  face  principally 
because  they  were  of  an  optional  nature  or 
because  they  were  not  started  soon  enough. 
Admiral  Horne,  in  the  keynote  speech  at  the 
Eighth  National  R & QG  Symposium,  endorsed  a 
recommendation  by  an  Electronic  Industries 
Association  committee  to  the  effect  that  the 
number  of  types  and  values  of  parts  now  being 
used  should  be  reduced  drastically.  When  parts 
with  guaranteed  levels  of  failure  rate  are 
available,  through  implementation  of  the 
Darnell  report,  it  may  become  easier  to 
standardise  within  a system  because  the  vendors 
of  parts  will,  in  effect,  be  classified  as  to 
reliability*  By  requiring  that  procurement  be 
to  a specified  reliability  level,  the  variety 
of  part  types  and  vendors  in  use  in  the  system 
will  be  narrowed.  We  note  a recent  trend 
toward  a degree  of  standardization  through  the 
easily  stated  edict  to  11  use  Minuteman  grade 
parts,11  A word  of  caution  is  appropriate  on 
this  score.  Hot  all  users  are  aware  that  a 
great  deal  of  screening  and  bum -in  testing  is 
performed  on  such  parts  by  the  purchaser  before 
being  installed  in  Minuteman  equipments*  While 
it  is  true  that  a certain  amount  of  product 
improvement  advantage  and  a narrowing  of  part 
varieties  is  achieved  by  attempting  to  use 
"limuteman  parts,'1  we  feel  that  the  reliability 
advantages  to  the  casual  user  have  been  over- 
sold* 

The  second  neglected  area  relates  to 
orientation  of  designers  with  respect  to  the 
field  use  conditions.  Principal  designers 
should  be  shown  systems  mockups,  given  first- 
hand opportunity  to  see  where  their  equipments 
are  bolted  into  the  system,  and  taken  on-site 
to  witness  typical  end  use  conditions.  Merely 
spe cifying  environments  and  operating  periods 
is  rather  inadequate  in  conveying  to  th© 
designer  a retainable  picture  of  the  kind  of 
operating,  handling,  and  checkout  abuse  to 


£98 


which  his  equipment  will  be  subjected.  Proper 
orientation  of  designers  will  provide  additional 
assurance  that  designs  will  be  compatible  with 
use  conditions  and  thus  more  reliable* 

The  third  neglected  area  concerns  field 
failure  removal  and  analysis  activities.  The 
equipment  manufacturer  should  be  included  in 
these  operations  as  he  is  in  the  best  position 
to  detect  possible  deficiencies  of  his  elec- 
tronic equipment  and  to  gather  complete  informa- 
tion needed  for  the  analysis  and  corrective 
action  decisions.  It  Is  no  secret  that  failure 
analysis  of  deficiencies  occurring  in  the  field 
is  far  from  optimum  *3  on  the  spot  trouble- 
shooting by  the  equipment  manufacturer  and 
return  of  unmolested  equipments  to  his  plant  for 
further  analysis  and  repair  would  add  to 
assurance  that  reliability  objectives  would  be 
more  quickly  achieved. 

Longer  Burn-In 

So  far  in  this  talk  we  have  attempted  to 
establish  that  reliability  assurance  is  needed , 
that  systems  specifications  should  require 
several  often  neglected  means  of  increasing 
assurance*  and  that  demonstration  life  tests 
should  not  be  eliminated,  even  though  finding 
sufficient  time  to  perform  the  tests  is  a 
difficult  problem*  In  stating  that  such  tests 
naturally  take  a long  time,  it  is  implied  that 
accelerating  techniques  are  not  presently  valid 
and  that  previously  accepted  experience  and 
theory  regarding  the  constant  failure  rate  of 
electronic  equipments  applies  to  typical  space- 
craft missions.  We  will  now  discuss  the  impli- 
cations if  a decreasing  failure  rate*  rather 
than  constant  failure  rate,  were  actually 
applicable  to  long  term  space  missions,  and 
present  some  facts  that  indicate  this  may  be 
the  case.  A decreasing  failure  rate,  of  course, 
would  point  to  the  advisability  of  longer  burn- 
in  periods*  It  also  would  shorten  the  demon- 
stration test,  or  looking  at  it  another  way, 
would  give  more  confidence  with  a given  duration 
of  test,  A possible  curtailed  demonstration 
test  for  a typical  spacecraft  MTBF  could  be  as 
follows*  It  could  require  S to  10  equipments  to 
be  burned-in  for  1000  hours  each  at  AGREE  X- 
level,  during  which  period  failures  would  be 
analysed  but  not  be  considered  as  deficiencies. 
Presumably  the  decreasing  failure  rate  would  be 
confirmed  during  the  burn-in  period*  All  equip- 
ments could  then  be  required  to  survive  the  next 
2000  hours  of  test  at  the  less  severe  AGREE  M- 
level  with  perhaps  no  more  than  one  failure 
permitted  during  the  10,000  to  20,000  equipment - 
hours  of  test.  If  marginal  parts  were  replaced 
during  the  long  burn-in,  and  only  one  failure 
occurred  during  the  2000-hour  test,  there  would 
be  additional  basis  for  confidence  that  the 
failure  rate  was  decreasing  and  that  longer 
missions  could  be  accomplished  with  very  low 
probability  of  failure  by  equipments  that  had 
been  properly  burned-in* 


The  Case  for  Decreasing  Failure  Rate 

The  concept  of  constant  failure  rate  being 
characteristic  of  con^lex  electronic  equipments 
started  as  a result  of  early  field  studies  by 
ARInc  and  others*  Experience  still  shows  that 
when  equipments  are  repaired  as  they  fail, 
particularly  when  this  occurs  frequently,  part 
ages  become  mixed  and  the  constant  failure  rate 
is  a good  approximation  for  equipments*  As  a 
result  of  this,  the  convenient  thing  to  do  is 
assume  that  parts  also  must  have  a constant 
failure  rate,  and  this  gives  birth  to  a flurry 
of  activities  in  reliability  prediction  with 
refinements  that  are  of  questionable  merit* 

Horn  and  Shoup  of  Boeing^  have  analysed 
the  failure  rate  of  B-^2  systems  versus  mission 
time  and  found  that  2 -hour  flights  experienced 
failure  rates  of  3k%  per  hour,  while  missions 
of  10  to  2l|  hours  bad  failure  rates  of  1$  per 
hour*  These  figures  are  cumulative  for  many 
systems  of  the  airplane  but  the  electronic 
systems  followed  this  same  trend.  The  effect 
is  attributed  to  turn-on  stresses,  take-off 
environment,  and  the  consequences  of  poor 
maintenance  making  themselves  felt  to  a greater 
degree  on  short  missions* 

Remington  Rand  Univac,  in  private  communi- 
cations, indicates  that  published  data  on  their 
Athena  computer  system  shows  a steadily  de- 
creasing failure  rate,  now  less  than  1%  per 
million  hours  per  part-  This  computer  has  long 
operating  periods,  few  failures,  and  a mild, 
environment  $ it  thus  has  some  of  the  character- 
istics of  space  flight  conditions* 

The  evidence  is  stronger  for  parts. 

Process  ini  and  Romano  of  Motorola^  have  demon- 
strated with  very  extensive  tests  (20,000  hours 
in  duration)  that  germanium  switching  and 
amplifier  transistors  clearly  follow  a Weibul! 
failure  distribution  with  decreasing  failure 
rate*  The  Wefbull  (3  parameter  ranged  from  0,1 
to  Q.U,  This  work  showed  that  a stated  Minute- 
man  goal  of  ,0007#  per  thousand  hours  during  a 
three -year  period  should  more  properly  be 
defined  as  a cumulative  percentage  of  failures 
to  be  allowed  in  this  period*  As  stated,  a 
constant  failure  rate  is  implied,  whereas  It  was 
proved  that  on  specific  test  lots  the  early 
failure  rate  was  higher  than  the  goal  and  the 
final  failure  rate  was  lower  than  the  goal* 

At  Motorola,  we  also  have  data  on  10,000- 
and  l5, 000-hour  tests^  of  depo sited-carbon 
resistors,  silvered  mica  capacitors,  and  paper 
capacitors,  that  distinctly  show  diminishing 
failure  rates  as  time  is  extended-  Often  we 
have  found  at  the  end  of  long  term  tests  that 
the  surviving  parts,  instead  of  being  worn  out 
or  unreliable,  are  really  just  well  broken  in* 
Hines  of  Corning  Glass  Works*  presented  the 
results  of  over  1 66  million  unit-hours  of  tests 
on  fixed  glass  capacitors  early  this  year*  The 


299 


failure  rates  observed  were  strongly  decreasing 
after  about  1500  hours  and  were  well  described 
by  a Weibull  distribution  with  (3  = 0.1*.  Hines 
made  a strong  plea  that  we  cease  "the  practice 
of  blindly  as  sinning  an  exponential  failure 
distribution,11  or  constant  failure  rate*  Weaver 
and  Smith  of  Minneapolis -Honeywell”  have  shown 
that  gyro  spin  motors  exhibit  decreasing  failure 
rates  (Weibull  distribution  with  (3  » 0*65)  up 
to  the  time  wear out  mechanisms  take  effect* 

L,  RP  Ooldthwaite  of  the  Bell  Laboratories? 
suggests  that  what  we  have  been  calling  exponen- 
tial failure  distributions  with  constant  failure 
rate  may  actually  be  log  normal  distributions 
which  have  decreasing  failure  rates  after  the 
mode  has  been  reached.  The  two  distributions 
are  easily  confused  if  the  data  is  meager. 

If  decreasing  failure  rates  are  generally 
applicable  to  parts,  then  equipment  design 
efforts  that  are  strongly  oriented  toward  relia- 
bility should  produce  equipments  having  de- 
creasing failure  rates.  On  such  well -designed 
equipments,  relatively  few  parts  would  be  re- 
placed, even  in  the  bum-in  period.  The  effects 
of  poor  maintenance  would  be  eliminated  because 
repair  during  bum-in  would  be  accomplished  in- 
plant. 

deeded  Research 

At  present  it  appears  that  we  should  obtain 
our  fullest  assurance  of  reliability  by  life 
testing  and  longer  bum-in  of  equipments  and 
systems.  Because  of  the  considerable  cost  in 
dollars  and  hours  required  for  doing  this, 
however,  it  is  imperative  that  we  devise  means 
of  accelerating  tests,  improve  the  accuracy  of 
our  predictive  estimates  of  reliability,  and 
gain  the  capability  of  identifying  and  screening 
out  parts  having  less  than  average  potential 
lifetimes* 

We  must  learn  how  to  sufficiently  and 
validly  accelerate  tests  on  equipments  and  parts* 
Attempts  to  do  this  on  equipments  have  been  rare* 
More  work  is  needed  such  as  the  effort  by 
Pettinato  and  McLaughlin10  which  resulted  in 
determining  an  acceleration  factor  of  2*3  for 
communications  equipment  when  the  ambient 
temperature  was  increased  from  25  to  70°G. 
Acceleration  attempts  on  parts  have  led  to  con- 
flicting results  and  to  many  claims  that  they 
are  not  valid  because  the  methods  induce  non- 
typical  failure  modes.  More  fundamental  work 
in  this  area,  such  as  that  being  done  by  the 
Battelle  Memorial  Institute  under  sponsorship 
of  the  ECHO,11  should  be  encouraged. 

We  should  determine  more  accurately  what 
failure  distributions  really  are  applicable  to 
parts,  equipments,  and  systems  so  that  our  pre- 
dictive estimates  will  be  based  on  fact,  not 
convenience.  If  the  exponential  distribution 
is  found  generally  non -applicable,  then  vre  will 
need  to  perfect  practical  methods  of  calculating 
reliability  from  the  combined  effects  of  parts 


having  many  different  types  of  failure  distribu- 
tions. 

Itrs  imperative  that  we  search  further  into 
the  material  behavior  associated  with  failing 
component  parts  so  that  we  identify  the  mechan- 
isms of  failure.  Such  knowledge  would  permit  us 
to  more  effectively  apply  predictive  screening 
techniques  for  which  statistical  methods  are 
already  highly  developed*12  This  knowledge  of 
failure  mechanisms  would  also  lead  to  a better 
choice  of  stresses  in  our  attempts  to  accelerate 
life  testing. 

We  should  gather  reliable  data  on  the 
occurrence  of  part  failures  in  the  various 
failure  modes.  This  information  is  necessary 
if  we  are  to  apply  redundancy  effectively  at  the 
pari;  level.  Whether,  for  example,  a resistor 
fails  by  shorting  more  often  than  it  fails  by 
opening  a circuit  determines  whether  redundant 
resistors  should  be  in  series  or  in  parallel* 

A mistake  in  our  assumption  could  result  in 
making  the  circuit  less  reliable,  and  of  course 
our  predictive  estimates  would  also  be  erroneous. 

Success  in  all  these  areas  of  research 
would  increase  our  ability  to  design  more 
reliable  equipment  and  make  it  possible  for  us 
to  gain  needed  assurance  of  reliability,  at  an 
early  time,  by  test  and  by  more  accurate  pre- 
dictive estimates. 


The  initially  stated  question  relative  to 
large  MTBFrs  typical  of  spacecraft  missions 
was,  "How  is  reliability  best  specified  and 
assured?"  We  have  answered  as  follows : 
assurance  by  means  of  life  test  demonstration 
is  the  best  kind  of  assurance  even  if  such  tests 
must  be  curtailed;  several  ways  of  making  long 
tests  practicable  were  suggested;  some  often 
neglected  specification  requirements  were  dis- 
cussed; and  the  implications  of  a decreasing 
failure  rate  and  longer  burn-in  of  equipment 
were  explored.  Finally  we  suggested  that  re- 
search be  vigorously  pursued  in  the  following 
areas : 

Development  of  accelerated  test 
techniques. 

Determination  of  actual  failure  rates. 

Understanding  of  failure  mechanisms 
and  application  of  this  knowledge 
to  screening  techniques. 

Data  collection  on  failure  modes  to  aid 
redundant  design  and  predictive 
estimates . 

Improvement  in  our  present  methods  of  gain- 
ing assurance  of  reliability  will  become  a 
necessity  as  space  missions  and  attendant  mean 
times  between  failure  become  longer. 


300 


References 


le  Thomas  D.  Morris , Asst.  Defense  Secy,  for 
Installation  and  Logistics,  Electronic  News, 
2/5/62. 

2.  A.S.A.  Newsletter  No.  107,  March  1962. 

3.  Battelle  Memorial  Institute,  Technical  Memo 
No.  3,  ECRC,  "Survey  of  Field  Failure 
Reporting  Systems,"  7/5/60. 

h*  Horn  and  Shoup,  "Determinations  and  Use  of 
Failure  Patterns,"  Proc.  Eighth  National 
Symposium  on  Reliability  and  Quality  Control, 
January  1962. 

5.  Pro cassini  and  Romano,  "Use  of  the  Weibull 
Distribution  Function  in  the  Analysis  of 
Multivariate  Life  Test  Results,"  WESCON, 
August  1961. 

6.  Motorola  Military  Electronics  Division, 
Reliability  and  Components  Group  Reports 
No.  M-517R-17  and  M-517-19,  and  IDEP  No. 
151.U5.00.50-E9-01. 

70  L.  D.  Hines,  "Acceleration  Factor  Determina- 
tion on  Glass  Capacitors,"  Proc.  Eighth 
National  Symposium  on  Reliability  and  Quality 
Control,  January  1962. 

8.  Weaver  and  Smith,  "Life  Distribution  of 
Electromechanical  Parts,"  Proc.  Eighth 
National  Symposium  on  Reliability  and  Quality- 
Control,  January  1962. 

9.  L.  R.  Goldthwaite,  "Failure  Rate  Study  for 
the  Lognormal  Lifetime  Model,"  Proc.  Seventh 
National  Symposium  on  Reliability  and  Quality 
Control,  January  1961. 

10.  Pettinato  and  McLaughlin,  "Accelerated 
Reliability  Testing,"  Proc.  Seventh  National 
Symposium  on  Reliability  and  Quality  Control, 
January  1961. 

11.  Battelle  Memorial  Institute,  Research  Report 
No.  5,  Electronic  Components  Reliability 
Center,  February  28,  1962. 

12.  Battelle  Memorial  Institute,  Technical 
Memoranda  No.  5,  8,  and  10,  and  Research 
Report  No.  1,  ECRC,  November  I960  - 
September  1961. 


J . •’ 


* 

RELIABILITY  PROGRAMS  FOR  "L"  SYSTEMS 

James  R.  Barton 
Major  USAF 

George  H.  Allen 
Staff  Reliability 

Electronic  Systems  Division 
Laurence  G.  Hanscom  Field 
Bedford,  Massachusetts 


The  AFSC  Program  Structure  assigns  numbers 
and  letters  to  the  various  programs  in  order 
to  identify  the  efforts  for  management  control. 
The  fact  that  most  of  the  command  and  control 
systems  have  the  designator  M1H  affixed^has 
prompted  the  reference  to  them  as  the  "Lrr 
systems . 

In  this  paper  the  mission  of  1TLlf  systems 
has  been  described,  the  complexity  of  the 
equipment  indicated,  and  the  importance  of  these 
systems  to  our  national  defense  efforts  pointed 
out* 

The  efforts  by  the  Electronic  Systems 
Division  to  comply  with  the  Air  Force  policy 
that  a comprehensive  reliability  program  be 
required  for  each  contract  to  assure  delivery 
of  reliable  systems  and  equipment  to  the  Air 
Force  inventory  are  described  in  considerable 
detail. 

Definition  and  Mission  of  MLM  Systems 

The  breadth  and  variation  of  the  Air  Force 
Systems  Command's  efforts  require  a means  of 
categorising  this  effort  into  subelements  for 
management  and  control.  The  AFSC  program 
structure  was  developed  to  provide  the  criterion 
whereby  each  AFSC  job  is  categorised  and 
identified*  The  systems  which  this  paper  will 
deal  with  are  those  of  the  nLM  systems  which  are 
categorised  in  the  program  structure  PS  400L 
through  PS  499L*  The  command  and  control  sys- 
tems, often  referred  to  as  1fLM  systems,  are 
composites  of  equipment,  skills,  and  techniques 
which,  while  not  instruments  of  combat,  are 
capable  of  performing  the  clearly  defined  func- 
tion of  enabling  a commander  to  exercise 
continuous  control  of  his  forces  and  weapons  in 
all  situations  by  providing  him  with  the  infor- 
mation needed  to  make  operational  decisions  and 
the  means  for  passing  on  these  decisions. 

These  systems  are  extremely  complex  with 
parts  counts  of  some  totaling  450,000,000  parts. 
While  the  use  of  parts  count  as  an  indication 
of  system  complexity  may  be  somewhat  misleading, 
it  can  be  seen  from  the  enormity  of  the  number 
alone  that  these  systems  are  tremendous  In  size 


and  complexity.  For  systems  designed  to  perform 
such  an  important  function  in  our  defense  system, 
it  is  easy  to  see  why  reliability  has  become  such 
an  important  design  factor  and  why  the  achieve- 
ment of  reliability  could  be  such  a problem. 

A complete  system  includes  all  subsystems, 
related  facilities,  equipment,  materiel, 
services,  and  personnel  required  for  operation  of 
the  system  so  that  it  can  be  considered  a self- 
sufficient  unit  in  its  intended  operational 
environment*  The  mission  of  these  systems  may 
then  be  stated  as  that  of  collecting,  trans- 
mitting, processing,  and  displaying  information 
for  command  decisions  and  for  control  of  forces, 
weapons,  and  aerospace  vehicles.  From  this 
simple  mission  statement  of  the  systems  developed 
by  the  Electronic  Systems  Division  (ESD)  we  get 
a vivid  picture  of  the  importance  of  this  work 
to  the  defense  and  survival  of  our  nation  and 
our  allies.  Without  these  systems  there  could 
be  no  early  warning,  detection,  interception  nor 
destruction  of  aggressor  weapons  in  time  to 
prevent  destruction  of  our  nation  and  resources. 

To  develop  these  systems  various  USAF 
organisations  have  been  amalgamated  into  a well 
coordinated  team  at  Laurence  G.  Hanscom  Field  in 
Bedford,  Massachusetts  to  provide  a concurrent 
approach  to  the  task  of  providing  electronic 
systems  for  command  and  control  of  aerospace 
forces.  This  team  is  comprised  of  representa- 
tives from  research  and  development,  logistics, 
training,  and  using  commands  with  specific 
system  acquisition  responsibilities  being 
assigned  to  a specific  System  Program  Office 
(SPO)  identified  by  a program  structure  designa- 
tor between  400L  and  499L.  Technical  support 
of  the  program  is  provided  by  the  Rome  Air 
Development  Center  (RADC)  at  Griff iss  A.F.B., 
Rome,  New  York  and  non-profit  organizations  such 
as  MITRE.  The  officer  in  charge  of  the  SPO  has 
the  official  title  of  the  System  Program  Director 
and  as  such  is  charged  with  the  responsibility 
to  develop,  and  to  deliver  the  first  complete 
system  to  the  using  command  on  schedule,  at  the 
lowest  price  possible  and  with  the  highest 
practicable  capability  and  reliability. 

Reliability  Requirements 

In  recognition  of  the  importance  of  the 


303 


design  for  reliability,  Headquarters  USAF 
published  a regulation,  AFR  375-5  entitled : 
Reliability  Program  for  Weapon,  Support  and 
Command  and  Control  Systems,  which  defines 
reliability  as  the  probability  that  a system 
will  perform  a required  function  under  specified 
conditions,  without  failure,  for  a specified 
period  of  time*  This  regulation  also  clearly 
enunciates  the  Air  Force  policy  on  reliability* 
Briefly  stated,  the  Air  Force  requires  that 
reliability  be  considered  as  a major  design 
factor  to  be  stressed  during  early  system 
studies,  source  selection,  design,  development, 
and  production.  Each  program  for  which  a 
contract  is  written  shall  include  realistic 
reliability  requirements  expressed  as  numerical 
probability  values  from  the  minimum  acceptable 
to  the  desired  goal,  with  such  intermediate 
quantitative  values  required  to  measure  pro- 
gression, and  a stated  minimum  acceptable 
confidence  level  for  each  probability  value. 
These  reliability  requirements  will  extend 
through  the  system  contractor,  subcontractor, 
and  vendor  levels  with  monitoring  points 
established  in  order  to  assist  the  Air  Force 
in  surveillance  of  the  program  through  all 
phases  of  development  and  production. 

It  is  evident  from  the  brief  statement  of 
the  Air  Force  policy  on  reliability  that  great 
emphasis  is  placed  upon  quantitative  require- 
ments in  contracts  for  equipment  or  studies  in 
which  the  Air  Force  will  have  an  equity.  We  at 
the  ESD  hold  that  it  is  just  as  important  that 
these  numerical  statements  of  reliability  re- 
quirements be  realistic*  Further,  the  upper 
value  established  as  a goal  should  be  such  that 
a constant  advancement  in  the  state-of-the-art 
is  made  by  requiring  greater  refinement  of 
methods,  techniques,  and  components  to  achieve 
these  goals.  To  provide  realistic  values  for 
new  equipments  performing  new  functions  is 
difficult  and  it  is  in  matters  of  this  type 
that  the  technical  support  of  the  Rome  Air 
Development  Center  (RADC)  is  relied  upon.  In 
the  search  for  more  realistic  reliability  re- 
quirements, it  has  become  increasingly  obvious 
that  reliability  alone  does  not  totally  meet 
the  MLn  systems  requirements j therefore,  the 
requirements  have  been  more  and  more  stated  in 
terms  of  availability  where  not  only  reliability 
is  a prime  engineering  factor,  but  maintaina- 
bility becomes  increasingly  important.  The  use 
of  the  availability  figure  of  merit  permits 
trade-offs  between  reliability  and  maintaina- 
bility, thus  making  possible  the  selection  of 
optimum  values  of  each  to  be  achieved  while 
considering  the  total  life  cycle  of  the  equip- 
ment. Such  total  considerations  result  in  more 
Air  Force  per  dollar  and  at  the  same  time 
provides  the  high  level  of  mission  capability 
required  by  our  customers,  the  using  commands. 

While  this  paper  primarily  deals  with 
reliability,  it  should  be  borne  in  mind  that  in 
each  instance  where  reliability  is  used  the  word 
maintainability  could  be  inserted  with  equal 
application  and  importance. 


Integrated  Missile  and  Command  and  Control 
Systems 

Before  the  regimen  is  described  to  you,  by 
means  of  which  the  reliability  and/or  maintaina- 
bility programs  are  administered  at  the  ESD,  it 
might  be  well  to  discuss  very  briefly  a system 
developed  by  the  ESD.  The  systems  with  which 
most  of  us  are  familiar  at  this  time  are  the 
Ballistic  Missile  Early  Warning  System  (BMEWS) 
and  Semi-Automatic  Ground  Environment  (SAGE). 

The  SAGE/BIRDIE/falKE  System  is  a good 
example  of  an  integrated  missile  and  command  and 
control  system.  For  those  of  you  not  familiar 
with  the  BIRDIE  equipment,  BIRDIE  stands  for 
Battery  Integration  and  Radar  Display  Equipment. 
This  equipment  provides  the  connecting  link  be- 
tween the  SAGE  system  and  the  non-Missile  Master 
equipped  surface-to-air  missile  fire  unit 
complexes  and  are  designed  to  permit  effective 
battle  application  of  Army  provided  missiles 
through  North  American  Air  Defense  (NORAD) 
direction  from  SAGE  facilities  by  digital  com- 
munications and  electronic  designations.  The 
primary  purpose  of  the  BIRDIE  equipment  is  to 
integrate  the  air  defense  artillery  (ADA)  units 
with  SAGE  to  provide  data  interchange  between 
fire  units  and  to  enable  the  ADA  defense 
commander  to  monitor  the  air  battle. 

This  integrated  SAGE/BIRDIE/NIKE  system 
provides  an  excellent  comparison  of  the  strate- 
gems  available  to  the  engineer  to  achieve  the 
high  degree  of  reliability  required  of  these 
systems . The  SAGE  system  provides  a single 
channel  of  operational  control  extending  from 
NORAD  Combat  Operations  Center  (COG)  down  to 
SAGE  regions  and  sectors.  This  concept  of 
operation  dictates  the  vesting  of  operational 
authority  of  the  whole  defense  system  in  a 
centralized  agency  having  complete  cognizance  of 
the  air  situation.  Within  these  concepts  the 
SAGE/BIRDIE/NIKE  system  must  function  so  that 
adequate  utilization  of  Air  Defense  Artillery 
weapons  may  be  accomplished  with  respect  to 
other  weapon  systems.  To  achieve  the  positive 
control  with  the  necessary  assurance  that  these 
functions  will  be  performed,  it  is  essential 
that  delegation  of  defense  responsibilities  and 
modes  of  operation  be  enunciated.  To  accomplish 
the  SAGE  mission,  there  are  four  modes  of  opera- 
tion. The  nominal  mode  of  operation  or  Mode  I 
is  that  each  SAGE  Direction  Center  (DC)  will  be 
responsible  for  and  will  exercise  complete 
control  over  the  conduct  of  the  air  battle 
within  its  sector  boundaries.  Mode  II  - when 
any  DC  becomes  inoperative,  adjacent  DC* s will 
accept  full  air  defense  responsibilities  and 
authority  over  specified  portions  of  the 
disabled  DC.  Mode  III  - in  the  event  of  two 
adjacent  DC!s  becoming  inoperative  or  any  other 
situation  develops  that  prevents  Mode  I and 
Mode  II  operation  the  Norad  Control  Center  (NCC) 
v/ill  assume  responsibility  and  operational  con- 
trol within  their  specified  areas.  Mode  IV  - in 
the  event  that  any  air  defense  weapon  system  or 
unit  loses  all  contact  with  the  SAGE  DC  or  NCC 


304 


under  whose  control  they  were  previously  opera- 
ting they  will  operate  autonomously  under  such 
local  control  as  may  be  operative  within  the 
system  or  unit  with  responsibility  for  control 
vested  in  the  local  unit  or  weapons  system 
commander , 

It  can  be  readily  perceived  from  the 
described  modes  of  operation  that  the  system 
provides  parallel  redundancy  in  the  paths  that 
may  be  utilized  to  exercise  control  over  the 
weapons.  While  some  degradation  may  be 
suffered  in  switching  to  alternate  modes,  the 
probability  of  successfully  accomplishing  the 
required  mission  is  very  high.  When  it  is 
considered  that  this  portion  of  the  system  is  in 
series  with  the  weapon  and  warhead  probabilities, 
it  is  apparent  that  a high  probability  is  re- 
quired. The  use  of  high  yield  atomic  warheads 
would  raise  the  probability  of  kill,  provided  the 
delivery  of  the  device  within  a given  distance, 
to  virtually  1.00  probability. 

The  third  element  in  this  series  system  is 
the  vehicle  itself.  The  probability  that  the 
firing  from  the  point  of  liftoff  and  trajectory 
to  the  target  area  is  the  lowest  value  of  the 
series,  but  it  must  be  realized  that  this 
probability  can  also  be  improved  upon  by 
redundancy.  Assignment  of  additional  weapons 
to  the  same  target  will  increase  the  probability 
of  success  for  intercept  and  kill.  From  this 
example,  it  can  be  seen  that  the  reliability 
of  ground  electronic  equipment  permits  the  use 
of  less  reliable  subsystems  that  are  non- 
recoverable  or  one-shot  units.  This  in  itself 
will  provide  the  choice  of  utilizing  the  more 
refined  or  developed  equipments  where  it  can  be 
repaired  and  returned  to  service. 

General  Implementing  Documents  and  Philosophy 

The  SAGE  system  has  served  as  an  example  of 
what  has  been  accomplished  by  the  ESD  and  we  now 
turn  to  the  present  and  future  efforts.  The 
AFR  375-5,  Reliability  Program  for  Weapon, 
Support,  and  Command  and  Control  Systems,  esta- 
blished the  requirement  for  quantitative  state- 
ment of  reliability  goals  and  minimum  acceptable 
reliability  levels.  It  is  now  important  that 
we  examine  the  vehicles  available  to  us  to 
achieve  these  goals.  Prior  to  the  publication 
of  this  regulation,  there  were  in  existance 
specifications  and  standards  that  had  evolved 
from  the  Advisory  Group  on  Reliability  of 
Electronic  Equipment  (AGREE)  Report,  and 
various  exhibits  developed  by  different  centers 
and  divisions  such  as  the  Aeronautical  Systems 
Division,  Ballistic  Systems  Division,  Electronic 
Systems  Division,  and  the  Rome  Air  Development 
Center.  These  specifications,  written  to 
provide  the  framework  for  our  reliability  pro- 
grams, were  modified,  consolidated,  rewritten, 
and  submitted  to  industry  for  their  comments 
and/or  recommendations  to  provide  a general 
document  that  would  reflect  the  latest  thinking 
of  agencies  involved  directly  or  indirectly 
with  complying  the  stated  requirements.  These 


specifications,  as  they  are  today,  constitute 
the  tools  available  to  us  to  implement  a 
comprehensive  reliability  program  for  our.  sys- 
tems. There  are  numerous  specifications  pub- 
lished on  reliability,  but  the  ones  used  by  the 
ESD  have  been  narrowed  down  to  MIL-R-27542 
(superseding  MIL-R-26674) , Reliability  Program 
Requirements  for  Aerospace  Systems,  Subsystems, 
and  Equipment;  MIL-R -27070,  Reliability  for 
Development  of  C-E  Equipment;  MILr-R-26474, 
Reliability  for  Production  of  C-E  Equipment; 
MIL-R-26667A,  Reliability  and  Longevity  Re- 
quirements, Electronic  Equipment,  General 
Specification  for;  MIL-Std-44%  Reliability  of 
Military  Equipment;  IJSAF  Bulletin  506,  Relia- 
bility Monitoring;  USAF  Bulletin  510,  Relia- 
bility Organization;  and  MIL-Q-9B5&,  Quality 
Control  System  Requirements. 

These  specifications  are  by  necessity 
general  in  nature  and  are  written  to  be  equally 
applicable  to  electronic,  aeronautical, 
ballistic,  and  space  systems.  For  this  reason, 
ESD  has  found  it  necessary  to  supplement  the 
instructions  contained  in  these  specifications 
with  more  explicit  guidance  in  the  preparation 
of  requests  for  proposals  (RFP*s),  contractor 
Reliability/klaintainability  Plans,  etc.  In^ 
addition,  ESD  recognizes  that  contractor  guidance 
must  be  provided  in  the  form  of  briefings  for  all 
bidders.  When  a contractor  has  been  selected, 

ESD  provides  more  explicit  instructions  and 
direction  in  order  to  obtain  the  type  of  program 
needed  by  the  Air  Force  to  support  the  design 
and  development  of  a specified  system.  This 
guidance  provides  a firm  requirement  for  specific 
tasks  to  be  accomplished  by  the  contractor,  time 
phasing  of  events,  Air  Force  contractor  monitor- 
ing procedures,  and  methods  of  communication. 

Bidders1  Briefings.  ESD  expects  to  have 
and  has  had  participation  by  Staff  Reliability 
coordinators  in  bidders1  briefings.  The 
purposes  of  this  participation  are  to;,  (l) 
review,  interpret,  and  answer  questions  on  the 
numerical  reliability  requirements;  (2)  explain 
overall  ESD  reliability  philosophy;  and  (3) 
outline  and  recommend  the  type  and  quantity  or 
depth  of  reliability  information  needed  for 
evaluation  of  bidders*  reliability  proposals. 

This  latter  information  usually  includes; 

(1)  a prediction  of  the  reliability  of  the 
proposed  system  and  any  alternate  systems;  (2) 
the  reliability  organizational  structure  and  the 
lines  of  communication  between  management  and 
reliability,  design  engineering  and  reliability, 
manufacturing  and  reliability,  test  engineering 
and  reliability,  etc,;  (3)’  the  corrective  action 
loop;  (4)  the  design  review  structure,  its 
authority,  and  modus  operandi;  (5)  a description 
of  the  experience  and  achievements  on  past 
programs  which  involved  numerical  reliability 
requirements;  and  (6)  where  possible,  a compari- 
son of  unit  operational  or  achieved  MTBF*s  on 
similar  systems  with  predicted  unit  MTBF!s  on 
the  proposed  system  or  systems. 


305 


The  reliability  proposal  material  of  the 
successful  bidder  will  serve  as  the  contractor* s 
major  input  to  the  reliability  guidance  meetings 
to  be  discussed  in  the  next  paragraph* 

Contractor  Guidance  Meetings*  ESD  is 
utilizing  reliability  specifications  in  their 
various  "Ltr  system  programs*  Since,  as 
mentioned  earlier , these  specifications  are 
written  in  a manner  which  affords  interpreta- 
tions as  to  content  and  work  scope  per  system 
program,  ESD  conducts  reliability  guidance 
meetings  for  the  contractor.  The  main  purposes 
of  these  meetings  are  to  establish  the*  (l) 
series  of  tasks  or  work  items  which  will  define 
or  constitute  the  contractor's  formal  relia- 
bility effort.  The  basis  for  these  tasks  is 
expected  to  be  found  in  the  contractor's  reply 
to  ESD's  BFP  and  the  basic  reliability 
specifications  stipulated  contractually;  (2) 
task  descriptions,  calendar  time  durations,  and 
manpower  necessary  to  perform  each  task;  (3) 
ESD/Contractor  monitoring  at  reliability  program 
review  points;  the  number  of  review  points  will 
be  a function  of  the  importance,  scope,  and 
overall  duration  of  the  system  program;  {4} 
contractor  control  techniques  for  subcontracting 
reliability  activities;  and  (5)  schedule  and 
content  of  reliability  reports  to  be  submitted 
to  the  BSD, 

Secondary  purposes  of  these  meetings  are 
to:  (l)  establish  the  reliability  lines  of 

communication  between  ESD  and  the  contractor 
end  his  subcontractors;  and  (2)  identify  con- 
tractor and  ESD  personnel  involved  in  the  re- 
liability effort  and  their  respective  respon- 
sibilities, Perhaps  the  most  obvious  fact 
about  planning  for  the  attainment  of  system 
reliability  is  that  there  are  numerous  places 
during  a system  program  at  which  unreliability 
can  creep  in  strictly  from  faulty  communications 
between  the  agencies  involved  in  bringing  a 
system  into  the  USAE  inventory. 

Referring  to  the  first  main  purpose  of  the 
guidance  meetings,  the  use  of  the  word  formal 
serves  a particular  objective;  namely,  to 
indicate  that  the  contractor's  responsibility 
for  reliability  activities  must  extend  beyond 
the  performance  of  his  reliability  tasks  into 
all  his  engineering,  technical  support,  and 
management  activities.  Reliability  must  be 
considered  in  all  the  decisions  and  resulting 
actions  in  order  that  a system  will  be 
delivered  to  USAF  which  satisfies  or  exceeds 
the  numerical  reliability  requirements*  Under 
this  philosophy  of  operation,  the  formal 
reliability  effort  is  placed  in  proper  perspec- 
tive: it  is  a series  of  tasks  which  assist  in 

but  do  not  guarantee  the  delivery  of  a reliable 
system  and  which  must  not  only  be  integrated 
within  the  whole  family  of  contractor  tasks 
but  also  must  influence  the  manner  in  which 
these  tasks  are  performed. 

The  interaction  and  dependency  of 


contractor  tasks  are  brought  out  during  guidance 
meetings.  As  examples,  ESD  usually  negotiates 
a line  item  or  task  within  the  formal  reliability 
program  which  requires  that  the  contractor's 
reliability  organization  conduct  a malfunction 
data  collection  and  feedback  system*  The 
existence  of  this  task  is  partially  justified 
since  it  supports  the  overall  corrective  action 
process*  Therefore,  its  weak -link  identifica- 
tion output  must  be  utilised  by  reliability  and 
other  agencies  responsible  for  corrective  action 
within  the  contractor's  overall  organisational 
structure.  The  requirement  for  predictions  of 
system  reliability  during  the  design  phase  of  a 
system  program  requires  the  contractor's  design 
engineering  agency  to  supply  actual  component 
part  application  margins  of  safety  to  his  relia- 
bility organisation.  ESD  does  not  expect  that 
the  reliability  organization  will  be  required  to 
compute  actual  component  part  margins  of  safety 
but  will  review  and  utilise  the  information 
available  from  the  design  process  itself*  As  we 
will  mention  later,  ESD  expects  the  reliability 
organization  to  participate  with  design 
engineering  in  the  selection  of  part  application 
margins  of  safety. 

A clear  representation  of  the  contractor's 
control  techniques  for  the  reliability  activities 
of  his  subcontractors  is  viewed  as  necessary  for 
contractor  management  of  "L11  system  reliability 
programs.  Similarly,  the  establishment  during 
guidance  meetings  of  monitoring  or  milestone 
points  between  ESD  and  the  contractor  and  the 
general  type  and  depth  of  information  to  be 
made  available  for  ESD  review  at  these  meetings 
is  necessary  for  ESD  reliability  management.  In 
addition,  the  regular  submission  to  ESD  of 
reliability  reports  is  another  management 
control  technique* 

The  final  output  of  guidance  meetings  is 
the  submission  to  and  approval  by  ESD  of  the 
contractor's  formal  reliability  program  plan. 

Reliability  Specifications  and  Some  Resulting 
ESD  Requirements 

At  this  time,  let’s  consider  several  of  the 
reliability  specifications  which  have  been 
employed  by  BSD  on  past  system  contracts  and 
some  resulting  ESD  requirements  based  on  these 
specifications*  The  manner  in  which  these 
specifications  and  related  tasks  are  to  be 
employed  on  particular  system  programs  will  be 
determined  by  ESD  prior  to  the  briefing  and 
guidance  meetings  on  reliability, 

a*  MJL-R-2707Q.  Reliability  for 
Development  of  G~E  Equipment 

This  specification  requires  a con- 
tractor to  perform  the  following  tasks:  (l) 

system  reliability  predictions;  (2)  reliability 
indoctrination  of  key  contractor  personnel;  (3) 
prime  contractor  plan  for  control  and  direction 
of  subcontractor  reliability  activities;  (4) 


306 


critical  and/or  limited  life  component  part 
studies  and  application  recommendations;  (5) 
program  and  implement  techniques  for  designing- 
in  reliability;  {6)  reports  to  ESD;  and  (7) 
reliability  demonstration  tests* 

In  performing  reliability  predictions 
and  submitting  prediction  reports  to  ESD,  a 
contractor  must  indicate  all  mathematical 
equations,  including  the  derivation  of  any 
original  mathematical  expressions  and  the 
source  of  failure  rates  and  K factors  employed 
in  making  the  predictions.  If  failure  rates 
peculiar  to  a particular  contractor  are 
utilised  in  predicting,  in  lieu  of  '‘standard*’ 
failure  rates  contained  in  the  RADC  Reliability 
Notebook,  for  example,  ESD  requires  statistical 
and  engineering  descriptions  of  the  methods 
involved  in  collecting  and  reducing  the  data  to 
failure  rate  form* 

The  reliability  design  techniques 
described  in  this  specification  are  considered 
to  be  the  basic  means  by  which  reliability  can 
be  designed  into  an  "L**  system.  These  tech- 
niques can  be  grouped  conveniently  into  three 
general  categories:  (l)  conservative  selection 

and  application  of  piece  parts;  (2)  minimiza- 
tion of  environmental  influences;  and  (3)  use 
of  redundant  functional  replacements  and/or 
alternate  modes  of  operation.  The  last  tech- 
nique is  generally  applicable  for  "L"  systems 
which  are  not  extremely  restricted  by  weight 
and  volume  considerations  and  which,  in  terms 
of  numbers  of  functional  parts,  are  highly 
complex, 

While  the  specific  reliability  design 
techniques  to  be  employed  per  program  are 
dependent  on  the  overall  system  mission  require- 
ments, it  is  a basic  ESD  reliability  policy 
that  all  component  part  applications  must 
receive  adequate  margins  of  safety  in  order  to 
minimize  the  probability  of  system  failure  from 
nickel  and  dime  sources*  This  reliability 
policy  has  been  supported  by  the  publication  of 
the  RADG  Reliability  Notebook  which  presents 
component  part  application  interaction  models 
(stress  vs  failure  rate)  and  recommends  regions 
for  reliable  operation*  In  selecting  component 
part  vendors,  ESD  expects  a contractor  to  be 
guided  by  his  past  failure  rate  experience  on 
other  system  contracts,  his  incoming  inspection 
test  records,  his  periodic  vendor  qualification 
reviews,  and  standard  part  lists. 

A contractor's  overall  plans  for 
designing  reliability  into  1TL"  systems  are 
receiving  considerable  review  and  auditing  by 
ESD*  Audits  will  be  concerned  with  such  things 
as  how  a contractor,  with  a proposed  system 
design  which  incorporates  limited  life  or  high 
failure  rate  items  such  as  a klystron  and/or 
magnetron,  plans  to  introduce  compensating 
reliability  factors  into  his  system  design  in 
order  to  minimise  the  influence  of  these  items 
on  the  overall  system  failure  rate. 


Several  ESD  reliability  programs  have 
already  begun  to  require  the  submission  of  a 
"Reliability  Design  Handbook, 11  Each  handbook 
is  actually  a specified  plan  for  designing 
reliability  into  a system  and,  therefore, 
discusses  planned  minimisation  of  operational 
stress  techniques,  part  application  margins  of 
safety,  etc* 

With  regard  to  reliability  indoctrina- 
tion of  key  personnel,  a contractor  is  expected 
to  supplement  previous  reliability  education 
negotiated  on  other  programs  with  a minimum 
number  of  lectures,  pamphlets,  posters,  etc* 

ESD  usually  requires  that  all  lecture  notes  and 
list  of  attendees  be  made  available  upon  request. 

Since  several  items  (reliability  test- 
ing, reports)  of  MIL-R-27070  are  common  to 
other  reliability  specifications,  comments  on 
these  items  will  be  presented  during  the 
discussion  of  these  specifications. 

b.  HIL-ft-27542*  Reliability  Program  Re- 
quirements for  Aerospace  Systems,  Subsystems^, 
and  Equipment 

For  purposes  of  a brief  discussion, 
MIL-R-27542  activity  requirements  can  be  grouped 
under  several  categories:  (l)  reliability  pro- 

gram management;  (2)  parts  reliability  engineer- 
ing; (3)  systems  reliability  engineering;  (4) 
failure  analysis  and  feedback;  (5)  statistical 
engineering;  (6)  manufacturing  support;  (7) 
field  support;  (3)  reliability  tests  and  dem- 
onstration; (9)  human  factors  engineering;  (10) 
special  studies;  (11 ) reliability  indoctrination; 
and  (Ji2)  reports  to  ESD. 

Reliability  program  management  involves: 
(l)  the  development  of  a plan;  (2)  integration 
of  that  plan  within  the  overall  system  program 
plan;  (3)  monitoring  and  review  of  the  require- 
ment work  items  or  tasks;  (4)  modification  of 
the  plan  as  necessary;  and  (5)  prime  contractors 
plan  for  control  and  direction  of  subcontractor 
reliability  activities.  As  we  have  mentioned 
before,  in  a prime  contractor's  reliability 
plan,  the  subcontractor  control  function  and 
prime  contractor  monitoring  points  must  be 
clearly  defined  for  ESD*  Since  MIL-R-27542 
does  not  specify  any  date  from  award  of  con- 
tract for  submission  of  a plan,  ESD  usually 
make  the  submission  requirement  a maximum  of 
fourty-five  (45)  days.  The  exact  date  will 
vary  with  the  type  and  scope  of  a program  and 
will  be  agreed  to  at  the  contractor  guidance 
meeting. 

Parts  reliability  engineering  is 
mainly  concerned  with  the  selection  and  applica- 
tion of  ”LM  system  piece  parts.  In  the  area  of 
system  reliability  engineering,  ESD  is  inter- 
ested in  design  reviews  - type  of  reviews, 
timing  or  frequency,  personnel  Involved, 
corrective  action  recommendations,  assignment 
for  follow-up  of  the  recommendations,  the 


30? 


corrective  action  break-in  points,  and  the 
quantitative  effects  of  such  corrective  actions 
on  system  reliability. 

Design  reviews  are  expected  to  be 
performed  with  shifting  emphasis  and  frequency 
throughout  a program  and  their  conduct  is 
expected  to  be  influenced  by  the  design  for 
reliability  techniques  planned  in  the  "Relia- 
bility Design  Handbook."  ESD  is  interested  in 
participating  in  the  following  formal  types  of 
reviews;  (1)  parts  list;  (2)  stress  analysis; 

(3)  circuit;  and  (4)  physical  or  mechanical. 

Review  of  parts  lists  is  aimed  at  verir 
fying  that  parts  planned  for  use  in  a system  are 
capable  of  meeting  the  application  requirements. 
At  such  a review,  a contractor  is  expected  to 
have  available  to  support  his  selection  such 
information  as;  (l)  each  part!s  electrical  and 
environmental  rating;  (2)  qualification  test 
data;  and  (3)  previous  failure  rate  experience. 

Stress  analysis  reviews  assure  ESD  that 
an  adequate  margin  of  safety  has  been  provided 
for  each  application.  Adequate  is  dependent  on 
the  overall  system  reliability  requirements . 
Circuit  reviews  assure  ESD  that  circuits  are  not 
being  incorporated  into  a system  which  are  un- 
necessarily complex  and  prone  to  frequent 
critical  type  failures.  Physical  or  mechanical 
reviews  are  for  assurance  that  mechanical 
features  such  as  brackets,  mountings,  bolts, 
etc.  are  adequate.  They  are  also  concerned 
with  the  review  of  cooling  techniques  and  the 
number  and  location  of  test  points.  For  circuit 
and  mechanical  reviews,  a contractor's  senior 
engineering  and  engineering  management  people 
are  expected  to  participate. 

While  the  above  reviews  are  formal  and 
preplanned,' ESD  expects  continuous  informal 
reviews  and  communication  between  design  engin- 
eering and  the  reliability  organization.  For 
example,  these  informal  reviews  may  take  place 
as  the  result  of  in-plant  failure  information 
collected  and  processed  during  the  manufactur- 
ing process. 

All  engineering  change  proposals  (ECP's) 
submitted  to  ESD  must  contain  a prediction  of 
the  quantitative  effect  of  the  proposed  change 
on  system  reliability.  A contractor  must 
support  his  predictions  by  appropriate  failure 
data  and  mathematical  techniques.  Therefore, 
to  accomplish  these  predictions,  a contractor 
must  maintain  throughout  a program  a mathe- 
matical model  which  presents  a continuous 
representation  of  the  reliability  of  his  system. 
He  maintains  this  model  as  part  of  his 
statistical  engineering  activities. 

While  failure  data  collection  and 
analysis  activities  support  the  corrective 
action  process  by  the  identification  of  actual 
weak -links,  they  also  enable  the  assessment  of 
system  reliability.  Contractors  are  expected 


to  maintain  a current  computation  of  system 
reliability  throughout  a program,  to  make 
comparisons  of  actual  or  achieved  and  required 
reliability,  and  to  use  these  assessments, 
comparisons,  and  failure  data  to  modify  the 
mathematical  model  referred  to  above.  Prime 
contractors  are  expected  to  act  as  the  "data 
center"  for  all  subcontractors  and  be  able  to 
indicate  rapidly  to  ESD  actual  failure  causes, 
failure  patterns,  densities,  and  modes 
throughout  his  entire  system. 

During  contractor  guidance  meetings, 
the  failure  data  feedback  and  assessment  system 
and  the  corrective  action  loops  will  be 
discussed.  A contractor's  reliability  plan  will 
be  required  to  contain  these  systems  and  loops. 

The  maintenance  of  a current  mathe- 
matical model,  the  conduction  of  formal  and 
informal  design  reviews,  failure  data  analysis, 
feedback,  corrective  action  follow-up,  and 
review  of  ECP's  are  viewed  by  ESD  as  important 
control  activities  of  a reliability  program. 

The  need  for  a well  organized  quality 
control  function  during  the  manufacturing 
process  is  recognized  by  MIL-R-27542.  A prime 
purpose  of  such  a function  is  the  minimization 
of  the  number  of  operational  or  field  failures 
that  will  be  classified  as  to  cause  - "manu- 
facturing error."  While  inherent  and  manu- 
facturing error  failures  regulate  the  delivered 
reliability,  it  is  really  operational  relia- 
bility that  is  of  concern  to  ESD.  The  latter 
quantity  is  influenced  not  only  by  inherent 
and  manufacturing  errors  but  also  field 
handling  and  operational  caused  failures. 

To  help  minimize  the  latter  category 
of  failure  causes,  the  majority  of  "L"  systems 
have  designed  or  built  in  a certain  amount  of 
self -test  capability  to  insure  proper  system 
operation  and  the  selection  of  alternate  modes 
of  operation  in  the  event  prime  operational 
modes  malfunction  or  fail.  Such  built  in  test 
equipment  increases  the  overall  complexity  of 
the  system  and  must  be  prevented  from  inducing 
prime  mission  equipment  failures.  However, 
such  equipment  does  assist  repair  personnel  in 
performing  the  maintenance  function. 

The  efficiency  of  the  maintenance 
function  is  also  improved  by  providing  hand- 
books which  correctly  reflect  all  the  engineer- 
ing changes  to  the  system  and  the  results  of 
reliability  recommendations,  such  as,  preventive 
maintenance  concepts,  developed  during  design 
reviews  or  as  the  result  of  failure  data 
experience. 

Spare  equipment  reliability  is 
expected  to  be  at  least  equivalent  to  prime 
mission  equipment.  Therefore,  the  reliability 
tasks  are  expected  to  be  performed  on  spares. 

The  reliability  mathematical  model  is  required 
to  be  used  as  a basis  for  computing  spare 


308 


requirements.  Similarly,  there  is  a need  for 
close  communication  between  a contractor's 
engineers  woking  on  prime  mission  equipment, 
reliability  personnel,  and  engineers  assigned 
the  task  of  developing  or  procuring  AGE,  This 
need  arises  not  only  from  the  implications  of 
AGE  selection  based  on  prime  mission  equipment 
configuration  but  also  from  the  fact  that  AGE 
for  "L1*  systems  are  in  themselves  usually 
complex  electronic  equipments.  Obviously,  AGE 
that  is  not  reliable  could  lengthen,  following 
a prime  mission  equipment  failure,  the  time 
that  an  "I"  system  is  either  in  a down-state  or 
required  to  operate  in  a less  accurate  and  less 
desirable  alternate  mode. 

Reliability  demonstrations  and  reports 
are  common  to  MIL-R-27070,  MIL-R -27542,  and 
MIL-R-26474- 

e.  MIL-R-26474,  Reliability  for  Pro- 
duction of  C-E  Equipment 

MIL-R-26474  requires  tasks  which  are 
essentially  similar  to  those  suggested  in  MIL- 
E-27070. These  tasks  are  also  compatible  with 
work  items  In  MIL-R-27542*  Two  areas  of  common 
concern  in  these  three  specifications  which 
have  not  been  discussed  are  reliability  dem- 
onstration via  equipment  testing,  as  opposed  to 
analytical  or  mathematical  demonstration,  and 
monthly  reports  to  ESD. 

ESD  recognizes  that  the  basic 
sequential  model  presented  in  MIL-R-26474  is 
not  directly  applicable  to  a complete  J,LN 
system  which  may  have  several  alternate  modes 
and  redundant  replacements  for  various  func- 
tional circuitry.  The  basic  sequential  model 
is  viewed  as  a possible  vehicle  for  relia- 
bility demonstrations  of  simple  series  systems, 
a particular  mode  of  operation  of  a complex 
system,  a subsystem  of  a system,  etc* 

ESD  requires  the  submission  of  a test 
plan  for  approval  prior  to  the  commencement  of 
any  reliability  tests.  The  suggested  mathe- 
matical model  for  reliability  demonstration  is 
a critical  item  of  a contractor's  plan.  It 
governs  the  duration  of  the  tests  and  the  type 
and  quantity  of  data  ox  information  to  be 
collected  and  processed.  ESD  does  not  consider 
that  a reliability  test  plan  is  complete  until 
a clear  indication  of  the  contractor's  failure 
feedback  system  and  corrective  action  loop  is 
presented.  The  basic  loop  will  have  been 
agreed  to  at  the  guidance  meetings, 

ESD  is  also  concerned  over  the  type 
of  failure  analysis  (records  vs  laboratory)  to 
be  performed  as  the  result  of  any  reliability 
test  failure.  Mere  records  or  data  analysis  is 
not  considered  to  be  completely  satisfactory 
for  the  initiation  and  support  of  corrective 
action.  Records  must  be  supplemented  by 
laboratory  analysis. 


Contractor's  monthly  reliability 
reports  to  ESD  may  be  separate  items  or  a 
section  of  the  contractor's  overall  monthly 
reports,  ESD  expects  the  following  types  of 
reliability  information  to  be  included  in  a 
monthly  report:  (1)  current  reliability  status 

and  trend;  (2)  predicted  status  by  next  report 
period;  (3)  identification  of  actual  and 
potential  weak-links;  (4)  corrective  action 
contemplated  and  taken;  (5)  predictions  of 
corrective  action  quantitative  effects  on 
system  reliability;  (6)  summary  of  failure 
analysis  conducted;  (?)  reliability  education 
lectures  presented;  (S)  summary  of  design 
reviews  held;  and  (9)  action  required  by  ESD 
to  resolve  reliability  problems.  It  is 
recognized  that  the  type  and  quantity  of  infor- 
mation in  a report  is  a function  of  the  scope 
of  the  reliability  program,  and  the  status  of 
the  program  during  a report  period.  However, 
it  is  expected  that  prime  contractors  will 
discuss  each  subcontractor's  activities 
separately  from  their  own. 

Post  Contract  Award  Reliability  Program 
Monitoring 

Each  System  Program  Office  (SPO)  has  per 
ESD  policy  at  least  one  engineer  with  direct 
responsibility  for  monitoring  negotiated 
reliability  programs*  Immediate  support  for 
this  monitoring  function  is  obtained  from  the 
reliability  organizations  at  RADG  and  from  the 
ESD  staff  reliability  organization. 

During  the  contractor  guidance  meetings, 
definite  ESD/Gontr actor  monitoring  points  are 
established.  The  meetings  are  arranged  to 
correspond  with  significant  events  within  the 
overall  system  program  plan.  The  main  purposes 
of  the  meetings  are  to:  (l)  review  contractor 

overall  progress  on  the  reliability  tasks;  (2) 
participate  in  design  reviews;  (3)  offer 
recommendations  for  improvement  of  contractor 
performance;  (4)  review  the  reliability  require- 
ments and  progress  toward  these  requirements; 
and  {5)  where  necessary,  redirect  the  scope  and 
intent  of  one  or  all  reliability  tasks. 

Since  contractor's  reliability  reports  to 
ESD  will  be  reviewed,  questions  will  be  raised 
and  answers  needed  which  perhaps  cannot  wait 
for  formal  meetings.  Therefore,  informal 
communication  in  the  form  of  letters,  memos, 
etc,  is  expected  to  take  place  throughout  a 
program. 

In  addition,  if  a contractor's  performance 
on  the  reliability  program  is  considered  to  be 
marginal,  ESD  will  request,  in  addition  to  the 
previously  scheduled  meetings,  further 
conferences . 

Acknowledgement 

The  writers  would  like  to  acknowledge  the 
assistance  of  J,  Horowitz,  ESD  Staff  Reliability 
in  the  preparation  of  this  paper. 


309 


. 


.t:  4. 


rr  *>  j »:ti  tr/1 

..Vi  I 

' 1 -r  Si  * t.  ht>:\ 


. 


DESIGNING  RELIABILITY  IN  SPACECRAFT  SOLAR  POWER  SUPPLIES 


I,  Doshav  and  W.  F.  Emrich,  Space-General  Corporation,  El  Monte,  California 


SUMMARY 

Recently  completed  studies  on  proton  radia- 
tion and  meteoroid  damage  involving  solar  cells 
have  prompted  a fresh  look  at  solar  power  sup- 
plies from  a reliability  point  of  view*  Consider- 
ations of  both  catastrophic  failures  and  degrada- 
tion of  solar  power  devices  are  included*  Two 
design  concepts  have  been  prepared,  each  of  which 
encompasses  techniques  of  redundancy  to  obtain 
a high  level  of  reliability*  The  reliability  goal 
selected  for  this  design  is  99%  for  a lifetime  of 
one  year* 

A design  reliability  analysis  is  made  of  each 
of  the  alternative  designs.  Reliability  techniques 
are  used  in  deciding  between  the  designs.  Sample 
calculations  are  included  for  the  effects  of  redun- 
dancy, as  well  as  environmental  effects  such  as 
radiation  and  meteorite  damage.  Tables  and 
graphs  are  presented  covering  the  effects  of  ra- 
diation and  meteorite  damage.  All  sample  cal- 
culations, tables  and  graphs  presented  have  been 
specifically  selected  to  provide  an  aid  to  the  de- 
sign engineer  for  use  in  the  design  of  solar  power 
supplie  s . 

Introduction 

A fundamental  necessity  in  the  considerations 
of  a vehicle  operating  in  space  is  a source  of 
power.  For  long  periods  os  space  operation,  it  is 
desirable  that  this  power  source  be  developed 
from  the  space  environment  itself.  Three  sources, 
thermal,  nuclear,  and  solar  energy  are  consid- 
ered to  be  possible  within  current  technological 
limitations.  Since  failure  or  success  of  the  en- 
tire mission  in  space  is  dependent  on  the  reliabil- 
ity of  the  enery  conversion  system  and  the  source 
of  storage  and  supply,  it  is  appropriate  to  perform 
detailed  analyses  of  such  systems  prior  to  deter- 
mining the  configuration  for  a given  application. 

The  thermal  energy  power  sources  appear  to 
have  considerable  performance  and  reliability 
advantages  over  solar  and  nuclear  energy  devices* 
However,  a scarcity  of  application  data  exists  on 
such  devices  beyond  their  experimental  uses.  Re- 
search into  areas  of  nuclear  source  power  devices 
has  been  quite  extensive.  Practical  applications  of 
such  equipment  are  now  in  production  within  NASA 
programs  which  are  identified  under  the  SNAP 
designation.  Studies  are  now  being  conducted  on 
the  reliability  of  these  space  power  mediums,  and 
these  are  intended  for  future  publication  releases* 

Recently  completed  studies  on  proton  radia- 
tion damage  involving  solar  cells  has  prompted  a 
fresh  look  at  solar  power  supplies  from  a relia- 
bility point  of  view.  These  new  sources  of 
information,  together  with  other  readily  available 


information  (such  as  expected  meteoroid  damage, 
component  failure  rates,  and  an  understanding  of 
the  expected  environment),  present  a considerably 

more  complete  picture  for  the  use  of  design  engi- 
1 2 

neers.  x * * 

This  paper  is  an  attempt  to  compile  informa- 
tion from  the  various  solar  sources  into  a logical 
methodology  as  an  aid  to  the  design  engineer. 
Considerations  of  both  catastrophic  failures  and 
degradation  of  solar  power  devices  will  be  dis- 
cussed separately*  Failures  caused  by  meteoroid 
impact  severe  enough  to  cause  fracture  of  a cell 
and  an  open  or  short  circuit  caused  by  thermal  ex- 
pansion will  be  considered  in  the  first  category. 
Included  in  the  second  category  will  be  the  effects 
of  proton  radiation. 

Since  the  primary  purpose  of  this  paper  is  to 
discuss  solar  arrays,  all  other  components  of  a 
solar  power  supply  such  as  batteries,  regulation 
equipment,  etc*  , will  be  kept  constant,  regard- 
less of  the  solar  array  configuration*  Using  this 
technique,  all  differences  in  the  system  reliabil- 
ity must  be  attributed  to  the  solar  arrays. 

The  calculations  of  reliability  made  in  this 
paper  are  made  with  the  following  assumptions:^ 

1.  Open  circuits  o£  mounted  solar  cells  occur 
at  random. 

2.  Shorts  to  ground  within  the  array  do  not 
occur. 

3.  The  probability  of  a short  sircuit  of  an 
individual  solar  cell  is  negligible.  The  failure 
rate  in  this  mode  is  assumed  to  be  aero. 

4.  Failure  rates  of  the  interconnections  are 
negligible . 

Catastrophic  Failure  Effects 

Considerable  solar  array  environmental  study 
by  the  authors  on  such  projects  as  Ranger,  OSO, 
Transit,  and  A rents  indicates  that,  using  the  pres- 
ent fabrication  techniques,  thermal  expansions  are 
not  cause  for  malfunction  problems  (independent 
of  the  substrate).  Considerable  damage  will 
occur  to  filter  glasses,  but  this  damage  has  no 
apparent  effect  on  the  power -producing  capability 
of  the  solar  panel* 

Experiments  indicate  that  at  meteoroid  im- 
pact energies  above  10^  ergs,  damage  to  a cell 
may  be  sufficient  to  cause  complete  failure  of  the 
cell.  This  energy  corresponds  to  a visual  magni- 
tude between  18  and  19  (Whipple).  Referring  to 
figure  1,  we  see  that  impacts  of  this  energy  will 
occur  at  the  rate  of  4 per  1000  ft^  exposed  area 
per  hour  (worst  case).  4>  5,  6,  7 Assuming  the  area 
of  a solar  cell  as  2 cm^,  we  find  that  the  failure 
expectancy  for  a cell  is  0.  075  per  year,  or  the 
probability  of  surviving  meteor  destruction  is 


311 


8- 


6- 

-4 

-2 

0 

2 

4 

6 

8 

10 

12 

14 

16 

18 

20 

22 

24 

26 

28 

30 


25.0 
3.96 
.628 

9.95  x 
1.58  x 
2.  50  x 

3.96  x 
6.28  x 

9.95  x 
1.58  x 
2. 50  x 

3.96  x 
6.28  x 

9.  95  x 

i 

1.58  x 
2.5  xi 

10'10  10'9  10-8  10-7  10"6  10'5  10‘4  10"3  10"2  10"1  0 10  icP  103 


FIGURE  10  Impacts  Per  Unit  Area  Per  Hour  Vs  Mass  of  Meteroid 


312 


740  MEV 
450  MEV 
20.5  MEV 


313 


FIGURE  2 Proton  Flux  Affects  on  Solar  Cell 

Current  Changes 


PERCENT  EFFICIENCY 


FIGURE  3.  Typical  Silicon  Solar  Cell  Power  Output 
Degradation  During  Proton  Bombardment 


1-0.  075  = 0*  925  for  the  single  cell  in  a near" 
space  orbit  for  one  year* 

It  may  be  noted  that  another  approach  to  pre- 
dicting meteoriod  effects  may  be  taken  on  the 
basis  of  the  accumulation  of  total  hole  area  as  a 
function  of  time*  8 Such  approach  may  be  directly 
related  to  the  thickness  of  the  shield  and  the  ma- 
terial of  which  it  is  made*  However,  it  would  be 
difficult  to  interpret  effects  of  non -hole  making 
meteor  collisions  into  this  time -dependent-hole  - 
area  methodology.  This  is  believed  to  be  pri- 
marily due  to  the  expectancy  of  failures  of  cells 
on  the  basis  of  the  number  of  collisions  sufficient 
to  cause  damage  rather  than  the  hole  area  in- 
volved. 


Degradation  Effects 


Recent  estimates  of  proton  flux  in  the  Van 
Allen  radiation  belts  place  the  flux  at  2 x 10^ 


(E  < 40  mev)  protons/cm^-sec  for  the  inner  belt 
and  IQZ  (E  ^ 60  me’ 
outer  belt*  ^ 


and  10^  (E  ^ 60  mev)  protons  /cm-  sec  for  the 


Studies  recently  completed  by  Denney  and 
Downing ^ give  us  a basis  for  applying  these  es- 
timated fluxes*  These  studies  are  partially  sum- 
marized in  figures  2 and  3*  Figure  2 is  a com- 
posite showing  the  degradation  as  a function  of 
integrated  flux  for  3 particle  energy  levels.  The 
very  narrow  spread  of  the  curves  on  this  figure 
suggests  that  damage  is  not  heavily  dependent 
upon  the  energy  involved  and  gives  us  a firm  foun- 
dation for  basing  our  calculations  on  the  basis  of 
integrated  flux  without  regard  to  the  energy  of  the 
protons* 

Figure  3 shows  the  typical  power  output  ex- 
pressed in  percent  efficiency  as  a function  of 
integrated  flux. 


Let  us  further  assume  that  we  desire  this 
power  at  28  volts. 

P = El 

85  watts  = 28  volts  x Z 

1 = 3.  06  amps 

Assume  an  optimum  voltage  of  0.467  v per  cell. 
The  number  of  cells  in  series  to  get  28  v is  equal 
to  28/0.467  = 60  cells. 

Using  11%  efficiency  gridded  cells,  the  aver- 
age current  of  0*  467  volts  is  51  ma.  The  number 
of  cells  in  parallel  to  get  3.  06  amps  is  equal  to 
3*06/, 051  = 60  cells. 

Therefore,  to  get  85  watts  of  power  under  the 
above  circumstances  would  require  60  x 60  = 

3600  cells  * 

We  will  examine  two  electro-mechanical  con- 
figurations, and  attempt  to  define  the  better  one 
in  terms  of  reliability*  The  first  configuration 
which  we  will  call  design  ftAM  will  consist  of  5 
individual  cells  in  a series  module  arrangement 
(see  figure  4),  Five  cells  in  series  will  give 
5 x 0.467  v = 2.  335  v at  51  ma*  Twelve  of  these 
modules  will  be  wired  in  series  to  get  28  volts 
(12  x 2,  335  = 28).  We  shall  call  this  series  string 
of  5 x 12  = 60  cells  a "bank"*  Sixty  such  banks 
will  be  required  in  parallel  to  get  3.  06  amps 
(60  x * 51  - 3.  06)*  Figure  5 shows  a sample  wir- 
ing diagram  for  design  "A11*  Design  ,rBM  will  con- 
sist of  10  cells  which  will  be  sweated  to  a thin 
kovar  substrate  as  shown  in  figure  6.  They  will 
be  wired  in  parallel*  Ten  cells  in  parallelwill  give 
{10  x 0,  51  amps)  0*  51  amps  at  0.  467  v and  60  of 
these  modules  will  be  wired  in  series  to  give  28 
volts  (60  x .467  = 28).  This  parallel-series  group 
of  600  cells  (10  x 60)  is  called  a "bank"*  Six  such 
banks  connected  in  parallel  will  be  necessary  to 
get  3*06  amps  (6  x . 51  = 3.06)*  Figure  7 shows 
a sample  wiring  diagram  for  design  MB,r. 


Sample  Problem 


Reliability  Determination 


As  an  example  of  how  to  apply  this  informa- 
tion, we  will  assume  a hypothetical  orbit*  This 
satellite  will  be  in  a 100-minute  orbit;  60  minutes 
in  sunlight,  40  minutes  in  the  earth’s  shadow.  Ten 
minutes  of  each  orbit  will  be  in  the  inner  Van 
Allen  belt,  and  10  minutes  will  be  in  the  outer 
belt*  Power  requirements  will  be  assumed  to  be 
50  watts  continuous,  with  a 10  minute  peak  of  60 
watts  each  orbit*  Our  reliability  goal  is  99% 
{solar  arrays  only)  with  a lifetime  of  one  year. 

Based  on  the  above  assumptions,  it  is  deter- 
mined that  the  average  power  requirement  for  the 
satellite  is  51  watts  per  hour  or  85  watt  hours 
total  per  100  minute  orbit.  Since  this  amount  of 
power  must  be  generated  in  60  minutes  out  of 
each  100 -minute  orbit,  the  solar  array  must  be 
capable  of  producing  85  watts  of  power. 


During  the  course  of  a year,  the  integrated 
proton  flux  impinging  upon  our  solar  arrays  may 
be  calculated  by  multiplying  the  total  time  of  ex- 
posure by  the  flux  density  or 


10  minutes,  inner  belt  8760  hours 
— 

100  minute  orbit  year 


3600  seconds 
hour 


2 x 10 
cm2 


protons 

sec 


+ 


x 


10  minutes,  outer  belt  8760  hours 

x * 

100  minute  orbit  year 

2 

3600  seconds  10  protons 
hour  X cm2  sec 


6,  4 x 1010  Protons/cm^  for  the  intended 
mission  (one  year) 


315 


5 CELL  ELECTRICAL 

SINGLE  CELL  SERIES  MODULE  EDGE  VIEW  EQUIVALENT 


FIGURE  4o  Description  of  Solar  Cell  Modules 


FIGURE  5„  Wiring  of  5 Cell  Series  Modules 


316 


FIGURE  7„  Wiring  of  10  Cells  Parallel  Modules 

317 


R 

t 

. 0001 

-3.  719 

. 500 

Q.  000 

. 0005 

-3.  291 

. 550 

. 126 

. 001 

-3.  090 

. 600 

. 253 

.005 

-2.  576 

. 650 

.385 

. 010 

-2.  326 

. 700 

. 524 

. 025 

-1.960 

. 750 

. 674 

. 050 

-1.  645 

. 800 

. 842 

. 100 

-1. 282 

. 850 

1.036 

. 150 

-1. 036 

.900 

1. 282 

. 200 

- .842 

. 950 

1.645 

. 250 

- .674 

.975 

1.960 

. 300 

- .524 

.990 

2.  326 

. 350 

- .385 

.995 

2.576 

. 400 

- . 253 

.999 

3.090 

. 450 

- .126 

.9995 

3.  291 

. 500 

0.000 

.9999 

3.719 

TABLE  1 

NORMAL  DISTRIBUTION  - SELECTED  PROBABILITY  POINTS 


318 


Referring  again  to  figure  3,  we  see  that  at  an 
integrated  dose  of  6.4  x 10^  protons/ cm^  we  can 
expect  to  lose,  in  the  worst  case,  18%  of  the  ini- 
tial power-producing  capability  of  the  cells. 

Results  of  independent  calculations  shown  be- 
low are  in  agreement  with  the  above  calculations: 


a = /N  = y (878  + X)(0.  323M0.  667) 
pq 


= 2,  3Z6  (from  Table  1) 


Model 

Integrated  flux 

Fraction  of  Initial  Max,  Power 

Freden  and  White,  normalized  to  Yan  Allen’s 

1q11  p/ cm2 

75% 

4 2/ 

2 x 10  P/cm  /sec  at  peak  and  extended  to  20  me v 

for  E~20  mev 

Freden  and  White  spectrum  above  40  mev 
normalized  to  Yan  Allen's  2 x 10^  F/cm^/sec 

X 0l2P/cm2 

55% 

at  peak;  extensions  to  20  mev  using  Haugle  and 
Ruffe n Slope. 

Discussing  first  design  "A"  (5  cells  in  series), 
the  calculations  of  radiation  damage  indicate  an 
18%  loss  of  power.  Therefore,  we  must  plan  for 
an  18%  excess  of  cells  at  the  start  of  the  mission. 
Since  3600  cells  will  give  the  required  power  at 
the  onset: 


F rom  the  relationship  t - 


ZzlL 


substituting 


2 326  = X - (0.323H878  X-  X) 

/(878  + X}(0.  323){0.  667) 


and  solving  for  X using  the  quadratic  formula  we 
find  X = 467  modules. 

Therefore,  in  order  to  satisfy  a 99%  relia- 
bility for  the  mission  for  design  MAM,  we  must 
carry  878  + 467  = 1345  modules  or  6725  cells. 

A similar  methodology  can  be  applied  for  de- 
sign f,BM  (10  cell  parallel  module).  In  this  case, 
since  the  individual  cells  are  in  parallel  and  a 
meteorite  hit  will  remove  only  1 cell  from  the 
circuit  rather  than  5 as  in  the  "A"  configuration, 
the  calculation  will  be  made  on  the  basis  of  in- 
dividual cells  (rounded  up  to  groups  of  10  cells 
since  the  basic  building  block  of  this  design  is  a 
10  cell  module).  Total  number  of  cells  needed  to 
allow  for  radiation  damage  - 4390,  Predicted 
number  of  meteorite -destroyed  ceils  = 356. 
Number  of  extra  cells  needed  to  satisfy  the  99% 
reliability  requirements  ”401,  rounded  to  410. 
Total  number  of  cells  needed  for  design  "B"  = 
4800, 

Conclusions 


X - . 18  x = 3600 

= 4390  cells  or  878  each  5 cell  mod- 
ules will  provide  sufficient  power  including  offset 
of  the  radiation  damage. 

Since  the  probability  of  surviving  meteor  de- 
struction of  a cell  as  previously  estimated  is 
0,925,  the  probability  of  survival  of  a 5 cell  series 
module  is  (0.9^5)^  or  0,  677,  and  the  failure  ex- 
pectancy equals  1 - 0,  677  or  0,  323  for  the  intended 
one -year  mission.  Applying  this  failure  expectancy 
to  the  number  of  modules  which  we  must  provide 
to  satisfy  the  radiation  hazard,  we  find  that  we 
must  carry 

X = (878){G . 323)+(878)(0.  323)2+(828)(323)3  + 
(828)(323)4  + .•  ■ = — 

X - 419  extra  modules  in  our  solar  array  because 
of  anticipated  meteorite  damage.  But  419  extra 
modules  is  the  average  number  we  can  expect  to 
lose.  Half  of  the  time  we  can  expect  to  lose  less 
than  419  modules  and  half  the  time  more  than  419 
modules.  The  problem  then  becomes  one  of  deter- 
mining that  number  of  extra  modules  such  that  at 
the  end  of  a year  in  orbit  we  can  expect  a minimum 
of  878  good  modules,  99%  of  the  time. 

Since  N is  large,  the  normal  approximation  of 
the  binomial  will  be  used  where 

X ” Spare  cells  for  99%  reliability 
N = Total  cells  required  - 878  + X 
P - Module  failure  expectancy  = 0,323 
q ” ( 1 - p ) - 0,  677  = probability  of  survival 
p = Np  ~ (0.  323)(878+X) 


As  can  be  seen  from  the  above  calculations 
there  are  some  major  differences  between  the 
alternative  designs.  Design  "A11  requires  1925  or 
40%  more  cells  than  design  fJBM,  Design  "A11 
would  also  require  approximately  29%  more  area. 
Therefore,  design  "B'f  would  be  preferred. 

The  sample  problem  discussed  above  was  for 
demonstrative  purposes  only.  No  attempt  was 
made  to  select  a ’'real11  orbit.  Figure  3 and  Table 
I are  included  at  the  end  of  this  paper  as  an  aid 


319 


to  the  designers.  Once  suitable  orbits  are  cal- 
culated it  should  be  possible  to  predict  the  inherent 
design  reliability  of  a given  solar  array. 

Bibliography 

1.  Denny,  J.  M.  and  Downing  R.  G.  , ’’Charged 
Particle  Radiation  Damage  in  Semiconductors,  I: 
Experimental  Proton  Irradiation  of  Solar  Cells” 
Space  Technology  Laboratories,  Inc.  , Report  No. 
8987-000 l-RU- 000,  Sept.  1961. 

2.  Doshay,  I.  , ’’Reliability  Design  for  an  Orbit- 
ing Spacecraft,  ” Aerojet-General  report  No.  S60- 
232,  presented  at  1st  Seminar  on  Reliability  in 
Space  Vehicles,  5 Dec.  I960. 

3.  Klein,  W.A.  and  Lehr,  S.  N.  , ’’Reliability  of 
Solar  Arrays,  ” presented  to  Second  Annual  Sem- 
inar of  Reliability  in  Space  Vehicles,  Los  Angeles 
Section,  I.  R.  E.  , 5 Dec.  1961. 

4.  Whipple,  F.  L.  , "Meteor  itic  Material  in  Space,  ” 
Chap.  3,  Proceedings  of  the  Second  International 
Symposium  on  Physics  and  Medicine  of  the  Atmo- 
sphere and  Space,  Nov.  1959,  edited  by  O.  Benson 
Jr.  and  H.  Strughold,  John  Wiley  and  Sons,  Inc. 

5.  Grimminger,  G.  , ’’Probability  that  a Meteo- 
rite Will  Hit  or  Penetrate  a Body  Situated  in  the 
Vicinity  of  the  Earth,  ” Rand  Paper  P-18,  April 
1948. 

6.  McCoy,  T.M.,  ’’Hyper environmental  Simula- 
tion, Part  1:  Definition  and  Effects  of  Space  Ve- 
hicle Environment,  Natural  and  Induced,  ” WADD 
Technical  Report  60-785,  January  1961. 

7.  Davison,  E.  H.  and  Winslow,  P.  C.  Jr., 

’’Space  Debris  Hazard  Evaluation,  ” NASA  Techni- 
cal Note  D1105,  December  1961. 

8.  Edmiston,  R.  M.  , ’’The  Prediction  of  Meteo- 
rite Hole  Area  in  a Space  Vehicle  Near  the  Earth,  " 

IAS  paper  62-29,  IAS  30th  Annual  Meeting,  New 
York,  Jan.  1962, 

9.  Doshay,  I.  , ’’Spacecraft  Environmental  Tables 
and  Graphs,  ” Report  No.  1974,  Aerojet-General 
Corp.  , Azusa,  California,  March  1961. 

10.  Van  Allen,  J.  A.  ''Corpuscular  Radiations  in 
Space"  Radiation  Research,  14:540-550,  1961. 

11.  Hess,  R.  E.  and  Badertscher,  R.  F.  , "Space 
Radiation  as  an  Environmental  Constituent,  ” RIEC 
Memorandum  19,  Battelle  Memorial  Institute,  Jan- 
uary I960. 


320 


ACHIEVEMENT  OF  RELIABILITY 
IN 

SPACE  SYSTEMS 

Harvey  W.  Fritz 
Space  Systems  Division 
Air  Force  Systems  Command 
Los  Angeles  45,  Calif 


The  first  DOD  sponsored  Joint  Military  - 
Industry  Reliability  Symposium  was  held  in  1954. 
During  that  symposium  and  the  subsequent  five 
symposia,  a tremendous  number  of  ideas  and 
techniques  related  to  the  improvement  of  guided 
missile  reliability  were  presented.  Yet,  at  the 
close  of  the  last  symposium  which  was  held  in 
February  I960,  it  was  the  general  consensus  of 
opinion  that  we  had  a long  way  to  go  in  achieving 
the  desired  level  of  guided  missile  reliability. 

Recognition  of  this  problem  of  missile 
reliability  is  universal,  but  consider  further  the 
fact  that  in  the  past  few  years  the  United  States 
has  embarked  upon  a full  scale  space  program. 
This  program  currently  consists  of  the  develop- 
ment of  such  systems  as:  manned  lunar  explora- 
tion vehicles,  communications  and  weather 
satellites,  and  military  space  systems. 

In  the  development  of  space  systems  the 
designer  is  confronted  with  reliability  problems 
which  make  those  which  face  the  missile 
designer  seem  simple  by  comparison.  He  must 
now  design  systems  which  will  function  contin- 
uously for  long  periods  of  time  without  mainte- 
nance in  new  kinds  of  environments,  such  as:  a 
near  perfect  vacuum,  radiation,  zero  gravity, 
meteorite  and  micrometeorite  impact,  and  new 
temperature  considerations.  These  environ- 
ments are,  in  addition  to  the  shock,  acceleration, 
vibration  and  temperature  environments  which 
are  inherent  in  the  boost  phase. 

Table  I presents  some  relative  reliability 
requirements  for  a subsystem  in  aircraft, 
missile,  and  satellite  applications.  The  typical 
subsystem  chosen  is  a 25  Watt  UHF  transmitter 
which  might  be  used  in  any  one  of  the  three 
applications.  The  mission  times  and  reliability 
requirements  shown  in  Table  I have  been  taken 
from  documents  containing  requirements  which 
have  been  placed  on  existing  systems  and  are 
therefore  considered  representative  of  actual 
requirements.  It  should  be  noted  that  although 
the  Mean  Time  to  Failure  (MTTF)  for  the  trans- 
mitter in  a missile  application  is  only  slightly 
higher  than  the  MTTF  in  an  aircraft  application, 
the  MTTF  requirements  for  the  space  application 
are  several  orders  of  magnitude  more  severe 
than  those  requirements  for  either  missile  or 
aircraft  applications. 

The  magnitude  of  the  design  problem 
created  by  the  high  vacuum  environment  of  space 
is  exemplified  in  the  following  quotation  from  a 
Hughes  Aircraft  Company  Technical  Memorandum 
(Reference  3): 

"One  of  the  most  severe  problems  presented 
by  the  space  environment  is  the  effects  of  ultra - 
high  vacuum  on  lubricants  and  metallic  surfaces. 
Most  lubricants  which  are  presently  available 
are  useless  in  space  due  to  their  high  vapor 


pressure  which  eventually  results  in  their  com- 
plete volatilization.  When  the  lubricant  has 
disappeared,  the  coefficient  of  friction  of  the 
surfaces  in  contact  increases  greatly. 

’’The  loss  of  lubricant  is  followed  by  a 
progressive  loss  of  surface  films  either  by 
volatilization  or  as  a result  of  frictional  wear. 
Once  surface  films  and  adsorbed  gases  are  lost, 
contact  between  the  uncontaminated  surfaces  caq. 
result  in  galling  and  seizing  or  ’cold  welding.1 

’’The  problem  of  preventing  seizure 
requires  consideration  not  only  in  bearings,  but 
also  in  electrical  contacts,  such  as,  commutator 
brushes,  slip  rings,  switches  and  relays.” 

This  same  reference  describes  an  experi- 
ment which  demonstrated  ’’cold  welding”  of 
materials  in  high  vacuum.  In  this  experiment  a 
cold  rolled  steel  plate  and  rod  were  brought  in 
contact  with  each  other  in  a vacuum  of  8 x 10“' 
mm  Hg  after  elimination  of  surface  contamina- 
tion. After  contact,  the  rod  was  moved  across 
the  surface  of  the  base.  Complete  seizure 
occurred  after  a short  distance  of  movement. 

A measurement  of  the  tensile  strength  of  the 
seizure  was  made  and  was  found  to  be  approxi- 
mately 45,000  psi,  which  approaches  the  bulk 
strength  of  the  metal.  It  should  be  noted  that 
the  vacuum  used  in  this  experiment  is  one  which 
would  be  experienced  at  approximately  350  miles 
above  the  earth’s  surface.  It  is  estimated  that 
the  vacuum  in  space  can  become  10"^^  mm  Hg 


or  lower. 

Other  effects  of  high  vacuum  on  materials 
are  sublimation  and  evaporation  of  materials. 
Certain  materials  may  give  off  corrosive  gases 
when  they  sublime  or  evaporate.  Such  corrosive 
gases  may  cause  severe  corrosion  effects  in 
adjacent  equipment  or  may  substantially  alter 
the  strength  or  functional  characteristics  of  the 
component  containing  the  sublimating  or  evapo- 
rating material. 

The  penetrating  radiation  environment  of 
space  may  be  a formidable  problem  to  the 
designer  of  space  vehicles.  Penetrating  radi- 
ation may  be  due  to  a variety  of  sources. 
Probably  the  most  important  sources  are: 

Cosmic  radiation,  trapped  radiation  (Van  Allen 
Radiation),  and  solar -flare  radiation.  Mate- 
rials subjected  to  radiation  from  these  sources 
may  severely  change  in  their  physical  and 
chemical  properties.  As  a result,  components 
containing  these  materials  may  suffer  intoler- 
able changes  in  their  performance  character- 
istics or  strengths. 

High  temperatures  within  a space  vehicle 
will  be  caused  primarily  by  direct  solar 
radiation,  although  other  effects  such  as  earth 
shine,  earth  radiation,  and  internal  heating  of 
the  equipment  itself  will  contribute  to  the  high 


321 


temperature  environment.  Normally!  when 
designing  for  temperature  control,  the  engineer 
considers  the  effects  of  convection  in  dissipating 
heat.  However,  he  must  keep  in  mind  that  there 
is  no  convection  in  space.  One  can  design  for 
temperature  control  by  means  of  absorptive  and 
reflective  surfaces  on  the  outside  protective  skin 
of  the  space  vehicle.  By  adjusting  the  reflective 
and  absorptive  properties  of  the  surfaces,  the 
intake  and  output  of  heat  can  be  adjusted;  and  if 
it  is  balanced  with  the  amount  of  heat  being 
generated  by  the  internal  equipment,  then  the 
internal  temperature  can  be  made  to  stabilize  at 
an  acceptable  level.  The  effect  of  direct  solar 
radiation  is  on  the  side  of  the  space  vehicle  which 
is  toward  the  sun.  This  side  may  become  very 
hot,  while  the  side  away  from  the  sun  may  be 
very  cold.  This  condition  may  be  minimized  by 
rotation  of  the  vehicle.  However,  this  may  not 
be  feasible  in  the  case  of  a vehicle  in  which  parts 
of  the  vehicle  must  be  continually  oriented 
toward  the  sun. 

Collision  with  space  particles  such  as 
meteorites  and  micrometeorites  are  a definite 
space  problem  and  must  be  taken  into  account 
in  design,  A considerable  amount  of  data  has 
been  obtained  relative  to  the  density  of  the  space 
dust  micrometeorites,  their  masses,  and  their 
si^es.  Table  II  gives  some  design  figures  which 
can  be  used  for  determining  the  thickness  of  the 
protective  shell  to  be  used  on  the  outside  of  a 
satellite  or  space  vehicle.  Another  problem 
created  by  space  dust  is  that  after  a period  of 
time  the  outside  surface  will  become  roughened 
as  if  it  were  sandblasted.  This  sandblasting 
upsets  the  balance  between  absorptivity  and 
reflectivity  in  the  case  of  those  space  vehicles 
which  are  using  this  means  as  a device  for  tem- 
perature control. 

The  reliability  problem  of  space  systems 
is  further  complicated  by  their  tremendous 
critical  part  complexity.  In  a missile  or  space 
system  there  are  hundreds  of  thousands  of 
critical  parts.  Publications  indicate  that  the 
Atlas  missile  contains  between  250,000  and 
300,000  parts,  the  majority  of  which  are  critical. 

Now  consider  the  potential  complexity  of 
a manned  space  system.  The  number  of  critical 
parts  may  be  a million  or  more.  If  a failure  of 
a part  occurs  in  a space  system  after  launch, 
you  have  to  live  with  the  consequences.  There 
just  isn't  any  repair.  The  consequences  of 
failure  of  such  parts  as  relays,  connectors, 
transistors,  etc,,  may  be  the  loss  of  a multi- 
million  dollar  missile,  the  failure  of  a multi- 
billion  dollar  attempt  to  land  a man  on  the  moon 
and  return  him  safely,  or  may  jeopardize  our 
national  prestige  or  security. 

It  is  significant  to  note  that  there  are  a 
number  of  publications  which  indicate  great 
concern  by  the  Department  of  Defense  relative 
to  the  unreliability  of  electronic  equipment,  both 
ground  and  airborne.  Much  of  this  concern  was 
developed  during  World  War  II.  Since  that  time 
improvements  have  been  made  in  electronic 
part  and  equipment  reliability.  However,  the 
increase  in  critical  part  complexity  of  our  space 
systems  has  been  increasing  at  a greater  rate 
than  the  part  improvement  rate. 


Now  the  question  arises:  How  much 

reliability  is  required  for  the  critical  parts  of 
space  systems?  In  order  to  answer  this  question, 
it  is  necessary  to  examine  the  relationship  be- 
tween complexity  and  reliability. 

Reliability  is  defined  as  the  probability  that 
a system  will  perform  a required  function  under 
specified  conditions  without  failure. 

Mathematics  of  probability  states  that  the 
overall  reliability  equals  the  product  of  the 
reliabilities  of  the  individual  parts  as  follows: 

Poverall  = P1  . p2  . p3 Pn 

where  p] , P3>  Pn  are  the  reliabilities  of 

each  of  the  individual  parts  of  the  system,  A 
part  is  defined  as  one  piece,  or  a combination 
of  pieces  joined  together  which  are  not  normally 
subject  to  disassembly  without  destruction  of  the 
designed  use*  In  this  formula  it  is  assumed  that 
the  failure  of  any  one  of  the  parts  will  cause  a 
failure  of  the  system.  The  graph  in  Figure  1 
illustrates  the  effect  of  complexity  on  reliability 
for  systems  of  various  complexities.  It  can 
readily  be  seen  that  in  order  to  achieve  a 
reliability  of  80  percent  in  a system  having 
400  parts,  each  part  must  have  a failure  rate 
no  greater  than  1 per  1800  or  a reliability  of 
99,945%.  Now  consider  the  reliability  required 
for  each  of  the  parts  of  a 100,000  part  system 
in  order  to  achieve  an  80%  system  reliability. 

The  answer  is  99,99978%  or  1 permissible 
failure  per  450,000, 

If  this  answer  startles  you,  it  should  be 
noted  that  the  failure  rate  should  really  he 
much  less,  because  the  probabilities  of  un- 
detectable human  errors  throughout  the  chain 
of  events  from  the  time  of  system  conception 
to  the  time  of  "end  use"  were  not  included. 

The  foregoing  treatment  of  reliability 
versus  complexity  indicates  two  areas  in  which 
to  concentrate  in  order  to  achieve  high  orders  of 
reliability.  These  are:  first,  simplification 

and  second,  increased  critical  part  reliability. 
Simplification  should  certainly  be  attempted  to 
the  maximum.  However,  due  to  the  ever  in- 
creasing demands  for  increased  performance 
and  for  the  accomplishment  of  increasing 
numbers  of  exotic  tasks,  the  complexity  of  our 
aerospace  systems  continually  increases. 
Therefore,  it  appears  that  achievement  of  an 
ultra  high  order  of  reliability  for  parts,  com- 
ponents, and  subsystems  is  the  approach  which 
must  be  pursued. 

At  this  point  I am  sure  you  are  beginning 
to  think  that  the  task  of  achievement  of  the 
required  ultra  high  level  of  reliability  is  im- 
possible, It  is  not  impossible.  However,  its 
accomplishment  is  a challenge  of  a staggering 
magnitude  to  the  imagination  of  our  industrial 
management  and  to  the  ingenuity  of  our  design, 
production,  test,  and  quality  control  engineers, 
and  our  scientists* 

Fundamental  to  the  accomplishment  of  the 
task  is  an  immediate  expansion  of  management 
disciplines  to  control  the  actions  of  every  in- 
dividual, who  could  conceivably  degrade  the 


322 


system  reliability,  from  the  time  of  conception 
through  11  end  useH  in  order  to  assure  that  the 
actions  of  these  individuals  are  realistically 
directed  toward  attainment  of  the  reliability 
goal. 

Much  can  be  said  about  the  disciplines 
required  in  each  major  management  area* 
However,  I wish  to  address  my  comments  to  the 
design  area,  because  I believe  it  is  the  designer 
who  has  the  greatest  impact  on  the  level  of 
reliability  finally  achieved.  It  is  the  efforts  of 
the  designer  that  establish  the  highest  potential 
reliability  of  a system*  Reliability  must  be 
designed  into  the  parts,  components,  subsystem 
and  systems --it  cannot  be  tested  or  inspected  in* 

In  order  for  a designer  to  achieve  the  ultra 
high  degree  of  reliability  required  in  aerospace 
systems  he  must  meticulously  pursue  the  follow- 
ing  basic  tasks: 

1,  Acquire  or  determine  the  level  of 
environmental  stresses  to  which  his  equipment 
will  be  subjected, 

2.  Design  his  equipment  to  be  compatible 
with  established  environmental  stress  levels. 

3*  Prove  design  adequacy. 

Knowledge  of  the  environmental  stresses 
to  which  an  equipment  will  be  subjected  is  the 
basic  building  block  for  a designer.  He  must 
know  every  conceivable  environment  and  its 
magnitude  both  external  and  self  induced  to  which 
his  equipment  will  be  subjected  throughout  its 
entire  life  cycle.  Where  a firm  knowledge  of  the 
environmental  conditions  is  not  available  a con- 
servative estimate  must  be  established* 

After  establishment  of  the  values  of 
environmental  stresses  to  he  used,  the  designer 
must  consider  the  following  major  factors  in 
order  to  achieve  a reliable  design: 

1.  Safety  factors  and  safety  margins* 

2.  Failure  mode  identification  and  cause. 

3.  Failure  effective  analysis. 

4.  Standardization  of  design  and  parts, 

5.  Simplification  of  design. 

6.  Assessment  of  state-of-the-art. 

7.  Trade-offs  of  parameters. 

8.  Derating  of  parts, 

9.  Redundancy  for  greater  reliability. 

1 0 , Maintainability , 

11,  Producibility  * 

12,  Design  for  acceptable  storage  life  with 
minimum  packaging  or  need  for  special  environ- 
mentally controlled  storage, 

13,  Ease  of  operation, 

14,  Ease  of  transportation. 

15,  Ease  of  inspection* 

16,  Human  engineering. 

17*  Calibration, 

Throughout  the  design  process  the  design- 
er is  faced  with  the  problem  of  determining 
whether  or  not  he  has  designed  the  required 
degree  of  reliability  into  a part,  component, 
subsystem  or  system.  It  is  common  practice 
for  designers  to  rely  on  the  following  sources 
for  this  evaluation: 

1.  Testing  one  or  a small  number  of 
parts  or  equipments  to  specific  environmental 
levels. 


2.  Analysis  of  field  and  factory  failure 

data, 

3.  Analysis  of  flight  results  from  teleme- 
try records. 

Environmental  testing  of  an  equipment  is 
certainly  a necessary  part  of  the  design  evalu- 
ation procedure.  However,  testing  one  or  a 
small  number  of  equipments  to  a specific 
environmental  level  raises  a serious  question 
relative  to  the  degree  of  confidence  that  the 
strength  of  the  equipment  is  not  at  or  close  to 
the  threshold  of  failure.  If,  in  fact,  the  equip- 
ment were  at  the  threshold  of  failure,  a great 
probability  exists  that  subsequently  procured 
equipments  of  the  design  which  was  tested  would 
fail  below  that  specified  environmental  level 
due  to  manufacturing  variability.  It  is  also 
significant  to  note  that  accurate  environmental 
stress  levels  are  rarely  ever  known  early  in  a 
developmental  program.  Hence,  the  designer 
could  be  testing  to  a value  of  an  environmental 
stress  level  below  that  which  will  actually  be 
encountered.  This  possibility  in  combination 
with  inevitable  manufacturing  variability  could 
result  in  high  probability  of  subsequent  failure 
of  his  equipment. 

Analysis  of  field  failure  data  is  very 
important  in  proving  design  adequacy*  However, 
the  conditions  surrounding  the  acquisition  of 
these  data,  e.g,,  pressure  of  schedules,  training 
of  personnel,  etc*,  can  seriously  affect  their 
accuracy  and  completeness.  Furthermore,  the 
environmental  conditions  in  which  these  failures 
occur  are  distinctly  different  than  aerospace 
system  flight  environments*  Asa  result,  a 
great  deal  of  speculation  relative  to  the  exact 
cause  of  failure  is  inherent  in  this  method  of 
evaluation  of  design  adequacy. 

There  certainly  is  no  substitute  for  flight 
test  programs  for  demonstrating  the  perfor- 
mance capability  of  an  aerospace  system.  How- 
ever, it  is  certainly  a fallacy  to  depend  pri- 
marily on  telemetry  from  a system  during  flight 
to  pinpoint  accurately  the  cause  of  a failure. 

To  obtain  enough  channels  of  telemetering  to 
accomplish  failure  analysis  in  a system  having 
hundreds  of  thousands  of  critical  parts  is 
practically  impossible. 

This  method  of  evaluation  definitely  had 
serious  limitations  when  applied  to  aerospace 
systems  where  the  launched  systems  cost 
millions  of  dollars*  Furthermore,  in  most  of 
our  space  programs  the  total  number  of  vehicles 
to  be  launched  is  very  small,  or  it  may  even  be 
one* 

Therefore,  the  highest  possible  degree  of 
confidence  that  a reliable  design  has  been 
achieved  must  be  developed  prior  to  launch, 

I believe  that  one  of  the  most  realistic 
methods  of  proving  design  adequacy  with  the 
highest  degree  of  confidence  is  through  the 
engineering  principle  of  the  safety  factor  or 
safety  margin. 

The  principle  of  the  safety  factor  is  not  new. 
It  has  been  used  for  ages  by  engineers  primarily 
in  the  design  of  structures  and  devices  which 
involve  human  safety,  i.  e,,  building  structural 


323 


members,  bridges,  elevators,  etc.  We  look 
upon  the  aircraft  as  a highly  reliable  machine. 
This  high  degree  of  reliability  is  primarily  due 
to  the  establishment  of  safety  factors  in  the 
strength  of  critical  parts,  such  as  wings,  landing 
gears,  control  mechanisms,  etc.  It  is  very 
important  to  note  that  the  use  of  safety  factors  is 
not  something  that  is  optional  on  the  part  of  the 
designer  of  aircraft  critical  parts --it  is  a design 
discipline  which  is  rigidly  imposed  on  the 
designer  through  specifications. 

The  safety  factor  is  defined  as  the  ratio  of 
the  ultimate  strength  of  an  equipment  to  the 
maximum  stress  to  which  the  equipment  will  be 
subjected.  In  order  to  prove  the  existence  of  a 
safety  factor  it  is  necessary  to  subject  an  equip- 
ment to  a "test-to-failure."  Test-to -failure  is 
accomplished  by  subjecting  the  sample  to  in- 
creasing levels  of  an  environmental  stress  until 
failure  occur s- -failure  may  be  either  functional 
or  structural.  Generally,  when  a designer  has 
proven  that  he  has  designed  the  specified  safety 
factor  into  an  equipment,  he  is  not  required  to 
repeat  the  test.  The  question  then  arises:  Would 
testing  of  additional  samples  of  the  same  equip- 
ment produce  the  same  value  of  a safety  factor? 
Due  to  inevitable  manufacturing  variability,  a 
variation  in  the  equipment  strength  and  the  value 
of  the  safety  factor  can  most  certainly  be 
expected.  Since  this  is  true,  it  is  necessary  to 
determine  the  magnitude  of  these  strength  vari- 
ations, because  the  existence  of  a large  vari- 
ation could  result  in  a high  probability  of  failure. 

Considering  the  fact  that  the  failure  rate 
of  the  critical  parts  of  our  aerospace  systems 
may  be  only  one  permissible  failure  in  500,000 
or  1,000,000,  knowledge  of  the  strength  for  these 
parts  and  its  relation  to  the  maximum  environ- 
mental stresses  to  be  encountered  is  absolutely 
necessary. 

In  order  to  determine  the  variation  in  the 
strength  of  a part  or  equipment  it  is  necessary 
to  11  test -to -failure  " samples  of  the  parts  or 
equipments.  The  results  of  these  tests -to- 
failure  can  be  plotted  as  shown  in  Fig.  2. 

The  standard  deviation  of  the  resulting 
variation  about  the  average  strength  can  then  be 
calculated  (See  Appendix  for  a sample  calcu- 
lation). The  number  of  standard  deviations  that 
exist  between  the  maximum  environmental  stress 
and  the  average  strength  can  then  be  referred  to 
as  the  M safety  margin."  The  utilization  of  the 
"safety  margin"  evaluation  technique  provides 
the  designer  with  a realistic  means  of  assessing 
the  probability  of  a failure  due  to  strength  vari- 
ations. 

It  is  important  to  note  that  a test-to -failure 
reveals  modes  of  failure  and  critical  weaknesses. 
Therefore,  after  each  test-to-failure  the 
character  of  the  exposed  modes  of  failure  and 
critical  weaknesses  should  be  thoroughly 
analyzed.  Such  an  analysis  after  the  first  test 
may  indicate  that  a very  simple  design  change 
could  increase  the  strength  of  a part  or  equip- 
ment substantially.  As  a result  of  incorporating 
the  change,  the  second  test  might  demonstrate  a 
safety  factor  so  large  that  no  further  testing 
would  be  necessary.  Even  though  a second  sample 


were  not  available  for  test-to-failure,  an  in- 
crease in  confidence  in  the  design  would  be 
established  as  a result  of  the  design  change. 
Another  result  of  the  mode  of  failure  analysis 
might  indicate  that  the  part  or  equipment  is 
totally  unacceptable. 

If  several  parts  or  equipments  are  tested 
to  failure  and  the  resulting  safety  margin  is 
unacceptable,  the  designer  may  increase  the 
safety  margin  in  the  following  ways:  The  first 

solution  is  to  reduce  the  strength  variation. 

This  might  be  accomplished,  for  example,  by  a 
more  rigid  quality  control.  The  second  solution 
is  to  increase  the  average  strength  through 
redesign.  The  third  solution  is  to  reduce  the 
maximum  environmental  stress.  An  example  of 
how  this  could  be  accomplished  would  be  the 
provision  of  additional  cooling  in  a case  where 
heat  is  the  problem.  Another  example  would  be 
the  isolation  of  the  part  or  equipment  from  the 
hostile  environment,  e.g.,  isolation  of  parts  or 
equipments  from  the  effects  of  a "hard  vacuum" 
by  placing  them  in  a pressurized  hermetically 
sealed  container. 

Now  the  question  arises:  What  value  of 

safety  margin  should  be  demonstrated  for  the 
critical  parts  of  a space  system?  Since  failure 
rates  of  one  in  500,000  or  1,000,000  may  be 
required,  the  answer  should  be  at  least  5 
standard  deviations. 

Since  the  safety  margin  forms  the  basis  for 
an  estimate  of  a failure  rate,  the  inevitable 
question  arises:  How  much  confidence  can  be 

assigned  to  the  values  of  safety  margins  obtained 
from  testing -to -failure  small  numbers  of  units, 
such  as  10  or  12?  In  a statistical  sense,  the 
answer  is:  Very  little  confidence  when  evalu- 
ating the  critical  parts  of  equipments  of  highly 
complex  space  systems.  The  number  of  units  of 
hardware  available  for  test-to-failure,  even 
including,  parts,  is  definitely  too  small  to  develop 
a reasonable  degree  of  statistical  confidence. 
This  fact  can  be  appreciated  when  one  considers 
the  fact  that  demonstration  of  a failure  rate  of 
one  in  100,000  at  a 90  percent  confidence  level 
requires  230,259  units  to  be  tested  before  first 
failure  - even  at  a 50  percent  confidence  level, 
69,315  would  have  to  be  tested  before  first 
failure. 

Even  though  the  estimate  of  the  failure  rate 
on  the  basis  of  the  demonstrated  safety  margin 
may  be  crude,  nevertheless,  it  provides  the 
basis  for  engineering  confidence  not  attainable 
by  any  other  means. 

Now,  I wish  to  present  an  actual  example  of 
an  application  of  the  safety  margin  method  of 
proving  design  adequacy.  The  example  chosen 
was  taken  from  the  document  in  Reference  2, 
and  involved  the  design  evaluation  of  a gas  pro- 
ducing squib.  Figure  3 shows  a plot  of  the  data 
acquired  during  the  evaluation,  and  the  following 
quotation  provides  the  explanation  of  evaluation 
procedure  and  results  quoted  below: 

"In  order  to  arrive  at  an  engineering  con- 
fidence level  in  the  squib,  a determination  was 
made  of  the  degree  of  performance  variability. 
Moderate  sample  sizes  were  tested  and  the  re- 
sults plotted  as  shown  in  Figure  Number  5 


(Fig,  3 in  this  text).  This  data  was  then 
analyzed  and  conclusion  reached  in  regard  to 
the  safety  factor  existing  between  the  actual 
performance  and  the  requirement. 

’’The  group  on  the  left  represents  a control 
group  which  was  tested  at  room  ambient  temper- 
ature with  no  previous  environmental  testing. 

The  center  group  represents  items  that  under- 
went 20  cycles  of  thermal  shock  between  -80°F 
and  + 220°F.  The  group  on  the  right  represents 
items  that  underwent  2 0 cycles  of  thermal  shock, 
identical  to  the  previous  group,  but  which  in 
addition  were  subjected  to  shock  and  vibration 
environments  at  220°F.  The  ordinate  represents 
gas  volume  expressed  in  cubic  centimeters.  As 
indicated,  600  cc  is  the  medium  activation 
volume  required. 

"Results  of  the  control  group  around  a 
mean  of  980  cc  indicates  a rather  wide  vari- 
ability. 

"The  Thermal  Shock  group  shows  a much 
narrower  variability  around  approximately  the 
same  mean. 

"The  combined  Thermal  Shock  and 
Dynamic  Test  Group  shows  approximately  the 
same  degree  of  variability  as  the  previous  group 
but  at  a higher  mean  of  approximately  1060  cc. 

"However,  the  large  number  of  sigma  units 
between  the  mean  and  the  requirement  in  every 
group  indicates  that  there  is  practically  no  prob- 
ability of  any  of  these  squibs  failing  to  deliver 
the  minimum  600  cc  volume  required. 

"During  the  development  of  the  squib,  the 
mean  gas  volume  has  steadily  increased  up  to 
the  present  level  shown  at  the  right  with  a 
corresponding  decrease  in  variability.  The 
present  squib  with  its  extremely  low  variability 
is  regarded  as  a high  reliable  battery  com- 
ponent ." 

In  this  presentation  I have  attempted  to 
point  out  only  the  fundamental  aspects  of  the 
safety  factor  and  safety  margin  concept  for 
proving  design  adequacy.  A more  detailed 
treatment  may  be  acquired  through  a study  of 
the  documents  in  attached  list  of  references. 

In  summary,  I wish  to  state  again  that  it 
is  the  designer  who  established  the  highest 
potential  reliability  which  may  be  attained  by  a 
system.  Therefore,  it  is  incumbent  upon  the 
designer  to  use  the  most  effective  tools  available 
to  prove  adequacy  of  his  designs.  It  is  my 
firm  conviction  that  the  widespread  use  of  the 
safety  factor  and  safety  margin  concept  will 
significantly  accelerate  the  achievement  of  the 
high  degree  of  reliability  required  in  our  space 
systems. 

REFERENCES 

1.  Lusser,  Robert:  Reliability  Through 

Safety  Margins,  Army  Rocket  and  Guided 
Missile  Agency,  Redstone  Arsenal, 

Alabama,  October  1958. 

2.  McCutcheon,  Robert:  Reliability  Programs, 

U.S.  Army  Signal  Research  and  Engineer- 
ing Lab.,  Fort  Monmouth,  N.J. 


3.  Seizure  of  Metallic  Surfaces  in  Ultrahigh 
Vacuum;  Report  No".  TM -685,  Hughes 
Aircraft  Co.,  15  July  1961; 

E.E.  Brueschke  and  R.H.  Suess, 

4.  Designer^  Guide  to  Space  Radiation 
Effects;  Lockheed  Missiles  and  Space 
Division,  Lockheed  Aircraft  Corp. ; 
Document  No.  LMSC  5-10-61-29. 


325 


TABLE  I 


Typical  Reliability  Requirement?  for  Electronic  Subsystem 
{25  Watt  UHF  Transmitter) 


Reliability 

{Probability  of  Mean  Time 

; Mo  Failure  to  Failure 

Application  Mission  Time  During  Mission)  (MTTF) 

Aircraft 

8 hours 

(without  maintenance) 

0,92 

100  hours 

Missile 

1,75  hours 
(including  tactical 
countdown) 

0.99 

175  hours 

Satellite  A 
(R&D) 

1 month 
(720  hours) 

0.96 

25  months 
(18,000  hours) 

Satellite  B 
(Operational) 

1 year 

(8,640  hours) 

0.96 

25  years 
(216,000  hours) 

326 


TABLE  JL 


FREQUENCY  OF  PENETRATION  OF  ALUMINUM  SKIN 


BY  MICROMETEORITES 

THICKNESS 

FREQUENCY 

OF 

OF 

ALUMINUM 

SKIN* 

PENETRATION 

.Icm 

ONCE  EVERY  50  DAYS 

.32  cm 

ONCE  EVERY  2000  DAYS 

1.0  cm 

ONCE  EVERY  100  YEARS 

* FOR  SPHERE  OF  3 METER  DIAMETER 


327 


OVER  ALL  RELIABILITY  OF  MISSILE,  PER  CENT 


40 


I/225  PERMISSIBLE  AVERAGE 

i/450  {probabilities  of  failure 

Vqqq  [ OF  COMPONENTS  FOR 
^1350  ATTAINING  80  PER  CENT 
^1800  CVER-ALL  RELIABILITY 

\ . 

J-  50  COMPONENTS 


'o>  °0 

>°o  ' 


100  99  98  97 

AVERAGE  RELIABILITY  OF  ALL  COMPONENTS,  PER  CENT 

OVER-ALL  RELIABILITY  AS  A FUNCTION  OF 
COMPLEXITY  AND  RELIABILITY  OF  COMPONENTS 

FIG.  I 


328 


to  determine  the  magnitude  of  these  strength  variations,  because  the 
existence  of  a large  variation  could  result  in  a high,  probability  of 

failure. 

Considering  the  fact  that  the  failure  rate  of  the  critical  parts 
of  our  aerospace  systems  may  be  only  one  permissible  failure  in 
500,000  or  1,000,000,  knowledge  of  the  strength  for  these  parts  and 
its  relation  to  the  maximum  environmental  stresses  to  be  encountered 
is  absolutely  necessary* 

In  order  to  determine  the  variation  in  the  strength  of  a part  or 
equipment  it  is  necessary  to  "test-to-failure"  samples  of  the  parts 
or  equipments.  The  results  of  these  tests-to-failure  can  be  plotted 
as  shown  in  Fig.  2. 


NO.  OF  TEST 

FIG.  2 


329 


VARIABILITY  OF  GAS  VOLUME  - U.M.950ccFEI-MI03EX  SQUIB 


o 

Q CVJ 
O W 

fog? 

,CO 

t* 

CL  O 
Ui  « 


>- 

o 


o 

o 

CO 


< 

o: 

UJ 


o 

K 

O 


o 

o: 


o 

o 


•o 


- 8 


§ 

8 

8 

8 

8 

JO 

O 

«o 

O 


“ IQ 


o 

CVJ 


O 

IO 

o 


9 

8 

8 

8 

8 

JO 

o 

10 

o 


Oil 

QO 


CO 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

— 

o 

<D 

00 

Is- 

w 

in 

QUANTITIES  OF  SQUIB  SAMPLES 
FIGURE  3. 


X 

100 
90 
80 
X 70 

E~t 

O 60 


APPENDIX 

SAMPLE  CALCULATION 
OF  STANDARD  DEVIATION 


£ 

W 

E-t 

w 


50 

40 

30 

zo 

10 


I 


AVERAGE  X 

t~ 


Maximum  Environmental  Stress  (E) 


1 
Z 

3 SAFETY 

4 MARGIN 

I I 


0 1 

■ ■ ■ 1 J 1 1 i — 

23456  789 

TEST  NUMBER 

10  11  12 

TEST 

STRENGTH 

DEVIATION 

NO. 

DATA 

FROM 

AVERAGE 

2 

X 

X 

X 

1 

99 

4 

16 

Z 

82 

13 

169 

3 

96 

1 

1 

4 

90 

5 

25 

5 

10Z 

7 

49 

6 

98 

3 

9 

7 

94 

1 

1 

8 

103 

8 

64 

9 

90 

5 

25 

10 

88 

7 

49 

11 

106 

11 

121 

1Z 

92 

3 

9 

SX=  1 140 

Sx2= 

538 

Strength  Average  X 


EX 

N 


95 


Strength  Standard  Deviation  s = 


Strength  Safety  Margin 


X - E 


s 


95  - 50 


6.7 

Std. 

Dev. 


331 


TRANSIT  RELIABILITY 


Summary 


Richard  W.  Cole 
Applied  Physics  Laboratory 
The  Johns  Hopkins  University 
Silver  Spring,  Maryland 


The  TRANSIT  navigation  system  as  presently 
conceived  and  planned  consists  of  four  satellites 
orbiting  at  500  to  600  nautical  miles  in  a polar 
orbit.  Each  satellite  contains  two  high  fre- 
quency transmitters  whose  frequency  is  obtained 
through  multiplication  from  an  ultra  stable 
oscillator  for  doppler  data  plus  a memory  from 
which  the  satellites  present  ephemeris  data  is 
continuously  transmitted  in  digital  form  using 
pairs  of  doublets  with  phase  modulation  on  one 
of  the  high  frequency  transmitters.  Any  ship  at 
sea  outfitted  with  suitable  receiving  and  com- 
puting equipment  can  determine  a precision  fix 
on  its  position  by  using  only  the  doppler  track 
and  ephemeris  data  from  a single  satellite  pass 
provided  the  pass  falls  within  a suitable  angle 
between  the  horizon  and  directly  overhead.  By 
using  multiple  satellites,  frequent  worldwide 
coverage  is  maintained  and  only  a single  in- 
jection station  is  required.  The  satellites 
will  be  launched  into  orbit  using  launching 
vehicles  supplied  by  the  Military.  Economic 
factors  make  it  necessary  that  the  tactical 
satellites  operate  satisfactorily  in  the  space 
environments  for  periods  of  time  which  are  long 
when  compared  to  present  day  ground  equipment 
where  maintenance  is  used  to  maintain  continued 
operation.  Maintenance  in  space  is  limited  to  a 
few  vital  functions  via  command  link  and  re- 
dundancy Is  reduced  to  near  zero  by  severe  space 
and  weight  limitations.  Satellite  technology  is 
a new  endeavor  for  mankind  which  involves  the 
many  unknowns  of  the  space  environment.  As  a 
result,  the  Applied  Physics  Laboratory  is  making 
every  effort  to  conduct  a program  which  is 
balanced  between  research,  development,  and 
engineering  whose  program  goal  in  reliability  is  • 
to  make  a long  operational  lifetime  in  orbit  an 
inherent  "designed  in"  characteristic  of  the 
TRANSIT  tactical  satellites. 


computing  equipment  can  determine  a precision 
fix  on  its  position  by  using  only  the  doppler 
track  and  ephemeris  data  from  a single  satellite 
pass  provided  the  pass  falls  within  a suitable 
angle  between  the  horizon  and  directly  overhead. 
By  using  multiple  satellites,  frequent  worldwide 
coverage  is  maintained  and  only  a single  in- 
jection station  is  required.  The  satellite  will 
be  launched  into  orbit  using  launching  vehicles 
supplied  by  the  Military. 

Reliability  requirements  ordinarily  stem 
from  performance  requirements,  economic  factors, 
or  both.  In  the  case  of  the  TRANSIT  program, 
the  Laboratory  has  been  requested  to  extend  the 
reliable  lifetime  of  TRANSIT  orbiting  satellites 
to  a goal  of  five  years --a  requirement  often 
quoted  today  in  Military  contracts.  A few  of 
the  factors  which  greatly  complicate  this  task 
are  as  follows: 

(l)  New  Environments 

The  characteristics  of  the  outer  space 
environments  are  not  fully  known,  nor 
are  the  long  term  effects  of  these 
space  environments  upon  electronics, 
electromechanical,  and  optical  devices 
and  materials  known.  With  the  present 
state  of  the  art  in  vacuum  technology, 
the  extreme  vacuum  of  outer  space  as 
projected  by  theory  cannot  be  simulated 
on  the  ground.  Our  ability  to  simulate 
radiation,  particularly  nuclear  radia- 
tion, is  grossly  limited  and  long  term 
exposure  as  required  in  life  testing  is 
impractical.  The  large  number  of 
temperature  cycles,  with  the  associated 
thermal  stresses,  which  a TRANSIT 
satellite  would  experience  in  five 
years  may  be  a hazard  to  long  life. 


The  TRANSIT  navigation  system  as  presently 
conceived  and  planned  consists  of  four  satellites 
orbiting  at  500  to  600  nautical  miles  in  a polar 
orbit.  Each  satellite  contains  two  high  fre- 
quency transmitters  whose  frequency  is  obtained 
through  multiplication  from  an  ultra  stable 
oscillator  for  doppler  data  plus  a memory  from 
which  the  satellites  present  ephemeris  data  is 
continuously  transmitted  in  digital  form  using 
pairs  of  doublets  with  phase  modulation  on  one 
of  the  high  frequency  transmitters.  Any  ship  at 
sea  outfitted  with  suitable  receiving  and 


(2)  Performance  Demands  Tax  the  State  of 
the  Art 

In  some  areas,  system  requirements 
place  severe  demands  on  the  state  of 
the  art  with  the  resultant  increased 
probability  of  degradation  failures. 

(3)  Changing  Technology 

Electronic  technology  is  in  a constant 
state  of  evolution.  This  will  result 
in  changes  in  satellite  design  to  im- 
prove performance,  particularly  in 
marginal  areas,  which  changes  introduce 
new  techniques  and  hardware  with  the 
attendant  reliability  hazards. 


333 


(4)  Miniat uri  zat  i on 

Space  and  weight  limitations  force  the 
use  of  ultra -miniaturization  with  all 
the  attendant  new  techniques,  parts, 
and  materials*  Fabrication  becomes  an 
acute  problem  because  of  the  basic 
limitations  of  people  to  handle  small 
parts  and  the  limited  production 
quantities  make  extensive  tooling  and 
automation  prohibitively  costly. 

People  in  some  quarters  feel  that 
TRANSIT  should  use  small  launching 
vehicles  for  economic  reasons,  yet, 
since  the  limited  payload  weight 
capability  of  these  vehicles  requires 
the  elimination  of  essentially  all 
redundancy,  the  cost  factors  associated 
with  the  reduced  reliability  of  these 
non-redwidant  satellites  may  result  in 
a less  economical  "system"  than  one 
using  the  more  expensive  larger 
launching  vehicles  capable  of  a 
significantly  greater  payload. 

(5)  Long  Operating  Lifetime  Without 
Maintenance 

The  required  operating  lifetime  of  the 
satellite  without  maintenance  is  ex- 
ceptionally long  when  compared  to  pre- 
sent day  ground  equipment.  With  the 
exception  of  the  transoceanic  cables, 
all  electronics  today  depend  upon 
maintenance  for  continued  operation,  a 
procedure  not  presently  feasible  with 
satellites.  The  transoceanic  cables, 
a simple  system  in  comparison  with  a 
satellite,  made  liberal  use  of  re- 
dundancy, a technique  which  can  be 
used  only  sparingly  in  TRANSIT  if 
severe  weight  limitations  are  imposed* 

(6)  Limited  Space  Trouble  Shooting 
Space  and  weight  limitations  severely 
limit  the  amount  of  telemetry  which 
can  be  included  for  trouble  shooting 
purposes  while  in  orbit.  Since  the 
telemetering  electronics  itself  will 
experience  the  satellite  environment, 
it  too  presents  a reliability  problem. 
It  is  worthy  of  note,  however,  that  in 
several  cases,  APL  satellites  now  in 
orbit  and  operating  successfully 
would  have  been  total  failures  had  not 
some  telemetry  and  command  functions 
been  included  which  allowed  some 
troubleshooting  and  correction. 

(7)  Statistics  and  Failure  Loop  Closure  of 
Limited  Usefulness 

The  fact  that  satellites  will  be  pro- 
duced in  very  limited  quantities  with 
but  a few  in  orbit  at  any  time,  coupled 
with  the  evolutionary  trend  in  techno- 
logy means  that  techniques  to  aehieve 
improved  reliability  through  statistics 
and  failure  loop  closure  are  of  little 
usefulness . 


(8)  Extreme  Cost 

Each  satellite  which  fails  after  being 
satisfactorily  launched  into  orbit  will 
represent  a sizeable  monetary  loss. 

From  the  foregoing,  it  follows  that  achieving 
a five  year  lifetime  in  orbit  for  TRANSIT 
satellites  requires  far  more  than  a statistical 
prognostication  by  a reliability  project  or  the 
preparation  of  voluminous  high  reliability 
specifications  by  a parts  group. 

Program  to  Date 

When  APL  entered  the  satellite  field  in 
February,  1959  j it  recognized  that  the  many  un- 
knowns of  the  space  environment  coupled  with  the 
effects  which  long  term  exposure  to  this 
environment  might  have  upon  satellite  hardware 
could  well  make  the  road  from  the  physics 
laboratory  to  space -worthy  hardware  an  arduous 
one.  Certainly,  reliability  in  the  connotation 
of  five  year  life  in  orbit,  could  not  be  an 
initial  requirement.  However,  research  data 
vital  to  the  development  of  the  TRANSIT  navi- 
gation system  could  he  obtained  from  satellites 
having  operational  lifetimes  in  orbit  in  terns 
of  a few  months.  It  was  therefore  considered 
sound  policy  to  launch  experimental  satellites 
as  quickly  as  possible  drawing  upon  the  know- 
how of  Laboratory  personnel  who  had  had  exten- 
sive experience  in  guided  missiles  in  an  effort 
to  obtain  satellites  quickly  which  would  be  as 
space -worthy  as  possible.  In  this  way,  the 
Laboratory  would  not  only  stand  a chance  of  ob- 
taining data  vitally  needed  for  the  further 
development  of  the  navigation  system,  hut  would 
also  start  to  obtain  first  hand  experience  with 
hardware  in  the  space  environment,  hr-  R.  B. 

Ker sheer,  director  of  the  Terrier  Missile  Program 
for  many  years  during  which  time  he  gained  vast 
experience  over  the  full  span  of  technical 
management  from  system  design  to  field  ope rat ion % 
was  appointed  as  director  of  the  newly  formed 
TRANSIT  Division,  The  division  was  manned  with 
assorted  scientists  supported  by  engineers  and 
technicians,  the  majority  of  whom  had  had  ex- 
tensive experience  in  the  Laboratory  missile 
programs  including  the  design,  packaging,  and 
fabrication  of  missile  flight  hardware  and 
missile  field  test  operations.  From  the  outset, 
it  was  decided  that  the  satellites  should  include 
both  telemetry  and  command  logic  subsystems  as  a 
means  of  obtaining  as  much  in-orbit  information 
as  possible  and  provide  a means  for  limited 
corrective  action.  The  satellite  hardware 
designs  have  been  the  result  of  the  efforts  of 
teams  consisting  of  circuit,  thermal,  and 
packaging  design  specialists  and  the  flight 
hardware  was  fabricated  by  highly  skilled 
technicians.  The  circuit  design  engineers,  a 
lot  of  ultra  conservative  perfectionists,  often- 
times themselves  conducted  the  final  bench 
testing  on  flight  hardware  and  served  on  the 
field  crews.  Within  the  limits  of  time  and  man- 
power, the  performance  of  each  circuit  was 
evaluated  for  variations  in  electrical  parameters 


334 


of  the  parts,  power  supply  voltages  and  impedance 
as  well  as  temperature*  Each  satellite  sub- 
assembly  was  subjected  to  several  cycles  of  ex- 
treme high  and  low  temperature  to  weed  out  faulty 
parts  and  solder  joint s,  then  the  electrical  per- 
formance was  checked  during  vibration  and  over  a 
range  of  temperature.  Selective  assembly  was 
used  in  critical  circuit  areas  and  100#  screening 
inspection  was  imposed  on  parts  believed  to  be 
critical  circuit  sources  of  unreliability. 
Redundancy  was  utilised  in  cabling  and  connector 
terminals  as  well  as  some  important  subsystems 
such  as  the  stable  oscillator  and  command  re- 
ceiver. The  completed  satellites  were  given  an 
inspection  critique  by  personnel  not  directly 
associated  with  the  hardware,  then  subjected  to  a 
thorough  system  test  both  electrical  and  environ- 
mental including  vibration  and  thermal -vacuum. 

From  this  point  on,  rigid  rules  of  procedure  were 
imposed  to  control  all  phases  of  the  operation, 
which  rules  required  extensive  satellite  retesting 
should  any  subsystems  have  to  be  changed* 

The  tempo  of  the  program  has  been  un- 
believable* For  instance,  in  the  case  of  the 
TRAAC  satellite,  the  time  between  the  initiation 
of  the  design  and  the  delivery  of  a fully  tested 
satellite  was  4 months.  This  included  design, 
procurement,  partial  breadboarding,  packaging, 
fabrication,  checkout,  assembly,  flight  acceptance 
testing,  and  delivery. 

To  date,  eight  AFL  satellites  have  been 
launched  of  which  five  were  successfully  placed 
into  orbit.  Of  the  eight  satellites,  four  carried 
one  piggyback  satellite  each  and  one  carried  two 
piggyback  satellites  supplied  by  outside  agencies. 
Two  of  the  APL  satellites  have  portions  of  their 
payload  powered  by  radio -isotope  power  supplies 
supplied  by  Martin  under  an  AEC  contract,  the 
first  nuclear  power  to  go  into  orbit*  The 
approximate  electronic  parts  count  for  the 
earlier  satellites  was  11^0  parts  sans  solar  cells 
while  the  later  satellites  approximated  2000 
parts.  Experience  with  these  satellites  which 
may  shed  some  light  upon  the  reliability  of 
satellites  in  orbit  is  as  follows: 

(1)  After  24  months  in  orbit,  signals  are 
still  received  on  two  frequencies  from 
TRANSIT  IIA  when  it  is  in  the  sunlight 
even  though  a shift  in  the  calibration 
of  a the most at  resulted  indirectly  in 
the  batteries  blowing  up. 

(2)  TRANSIT  IVA  le  still  transmitting  on 
four  frequencies  after  one  year  in 
orbit.  The  20 49  bit  delay  line  memory 
has  been  loaded  and  read  out  repeatedly 
with  but  an  occasional  error.  The  RIFS 
is  still  operating  satisfactorily  but 
the  commercially  supplied  telemetry 
transmitter  failed  early.  Mode 
shifting  of  the  command  system  has  been 
experienced  frequently,  but  this 
appears  to  be  due  to  external  causes 


(friendly  jamming). 

(3)  TRANSIT  IVB  Is  still  transmitting  on 
four  frequencies  after  seven  months  in 
orbit.  All  telemetry  is  operating  and 
has  held  calibration  amazingly  well. 

The  1344  bit  magnetic  core  memory  has 
been  loaded  and  read  out  repeatedly 
without  error.  The  solar  attitude 
detector  indicates  approximately  15 
percent  degradation  of  the  satellites 
solar  power  generating  capability  due 
to  radiation  damage.  Soon  after 
launching,  the  satellite  was 
successfully  magnetically  stabilized 
to  within  better  than  2 degrees  of  the 
earth1  s magnetic  field  direction . On 
March  8,  it  was  observed  that  the 
satellite  was  swinging  greater  than  10 
degrees  off  stabilisation.  An  analysis 
of  the  data  indicated  this  was  most 
probably  due  to  the  impingement  of  a 
micro-meteorite  against  the  outer 
surface  of  the  satellite.  The 
oscillations  of  the  satellite  have 
subsequently  damped  out  and  the 
satellite  is  again  aligned  within 
better  than  2 degrees  of  the  local 
magnetic  field  direction, 

(4)  The  TRAAC  research  satellite 
(standing  for  TRANSIT  Research  and 
Attitude  Control)  is  still  operating 
after  seven  months  in  orbit.  Large 
quantities  of  radiation  data  have 
been  collected  using  assorted  sensors 
and  a 256  bit  digital  telemetry  system* 
Although  the  boom  for  gravity  orienta- 
tion did  not  deploy,  the  associated 
weighted  spring  bound  by  biphenyl  did 
deploy  demonstrating  that  the  sub- 
limation phenomena  can  be  used  as  a 
control  mechanism  in  space.  Solar  cell 
experiments  have  shown  a 20$  decrease 
in  current  output  due  to  radiation 
damage.  Bue  to  the  inclination  of  the 
orbits  of  IVB  and  TRAAC,  these 
satellites  spend  considerable  time  in 
the  inner  Van  Allen  radiation  belt. 
Thus,  it  is  expected  that  the  rate  of 
radiation  damage  being  experienced  in 
these  satellites  will  be  considerably 
higher  than  will  he  experienced  In  the 
tactical  satellites  In  polar  orbits* 

(5)  People  in  some  quarters  have  said  that 
the  tin  In  solder  would  sublimate  in 
the  vacuum  of  outer  space  resulting  in 
a reliability  hazard.  As  a result, 
two  specimens  of  vacuum  deposited 

60 -4o  solder,  each  0.8  x 10 "6  inches 
thick,  were  located  on  the  exterior 
surfact  of  the  TRAAC  satellite*  The 
resistance  of  these  specimens  was 
monitored  to  detect  any  sublimation 
or  erosion  of  the  solder.  Results 


335 


after  seven  months  in  orbit  indicate 
that  there  is  no  detectable  change  in 
the  thickness  or  character  of  either 
solder  sample. 

(6)  Extensive  data  reduction  has  shown  that 
the  long  term  stability  of  the  stable 
oscillators  in  the  vacuum  of  outer 
space  is  about  a decade  better  than 
•when  at  one  atmosphere  on  the  ground. 

In  spite  of  these  encouraging  results,  the 
Laboratory  is  still  of  the  opinion  that  the  road 
to  consistent  five  year  life  in  orbit  will  be  a 
difficult  one. 

As  a result,  the  Laboratory  treats 
reliability  as  a responsibility  resting 
directly  upon  the  shoulders  of  every  division 
member  be  he  the  director,  engineer,  or  technician. 
Reliability  is  considered  in  every  decision  along 
with  performance,  weight,  power,  size,  cost  or 
what  have  you.  A separate  reliability  project 
serves  a support  function  in  the  division.  The 
modest  budget  of  the  TRANSIT  program  cannot 
support  a massive  reliability  program.  As  a 
result,  every  effort  is  made  to  engage  in  those 
areas  of  endeavor  which  will  produce  the  greatest 
yield.  A very  abridged  description  of  these 
efforts  is  as  follows: 

1.  The  Laboratory  will  continue  to  orbit 
research  satellites  such  as  TRAAC 
which  satellites  will  contain  both 
experiments  in  basic  research  and  re- 
liability experiments.  The  basic 
research  experiments  will  include 
typically  (a)  supplementary  radiation 
measurements  similar  to  those  now  in 
the  TRAAC  satellite  to  gather  data  in 
those  areas  where  existing  data  is 
inadequate,  (b)  continued  experimenta- 
tion with  attitude  control,  and  (c) 
magnetometer  measurements.  The 
function  of  the  reliability  experiments 
is  to  develop  directly  a better  under- 
standing of  the  effects  of  the  total 
space  environment  upon  electronic  parts 
and  materials.  For  instance,  a simple 
experiment  was  included  in  the  TRAAC 
satellite  where  the  frequency  of  an 
oscillator,  using  a unijunction 
transistor  as  the  active  element,  was 
controlled  by  the  RC  time  constant  of 
a metal  film  resistor  and  a solid 
tantalum  capacitor.  In  seven  months 
that  TRAAC  has  been  in  orbit,  the 
frequency  has  not  changed  more  than 
$.  Our  conclusion:  Apparently 

the  total  space  environment  of  TRAAC 
does  not  appreciably  effect  certain 
electrical  parameters  of  these  parti- 
cular electronic  components  and, 
therefore,  any  efforts  on  these  parts 
should  be  directed  toward  improving 


their  catastrophic  reliability.  A 
similar  "simple -minded"  experiment  is 
being  designed  to  be  incorporated  into 
the  next  research  satellite  to  check 
the  vs  time  of  transistors  fabri- 
cated In  several  ways.  Attempts  will 
be  made  to  correlate  these  results  with 
the  results  of  transistors  subjected  to 
radiation  on  the  ground.  Simple  ex- 
periments to  evaluate  materials  in 
space  are  also  planned.  In  this  way 
we  hope  to  determine  where  the  big 
problems  with  the  space  environment 
rest. 

2.  The  satellites  will  continue  to  be 

designed  as  conservatively  as  possible. 
Redundancy  will  be  included  where 
feasible  and  telemetry  for  limited 
troubleshooting  in  space.  Analytical- 
experimental  correlation  studies  will 
be  conducted  on  each  circuit  to  be 
followed  eventually  by  optimization 
studies  using  advanced  digital  com- 
puter design  techniques  to  achieve 
designs  with  the  largest  possible 
margin  of  safety  against  failure  due 
to  performance  degradation. 

3.  The  hardware  will  be  packaged  pre- 

dominately with  the  welded  matrix 
technique.  Thorough  thermal  design 
studies,  both  analytical  and  thermal- 
vacuum  will  be  conducted  to  reduce  the 
maximum  temperature  of  hot  spots,  keep 
average  temperatures  low,  and  keep 
temperature  excursions  small.  Since 
the  procurement  of  electronic  parts 
with  special  weldable  leads  has  been 
found  to  be  impractical  in  many  cases, 
a modest  R&D  program  in  welding  has 
been  implemented  whose  primary  object- 
ive is  to  develop  a better  understanding 
of  the  factors  which  must  be  controlled 
to  consistently  produce  reliable  welds 
with  ordinary  lead  materials. 

4.  Reliable  parts  are  fundamental  to 

reliability,  therefore,  the  relia- 
bility project  is  expending  considera- 
ble effort  in  this  area.  A programma- 
ble automatic  semiconductor  tester  has 
been  procured  which  is  capable  of 
collecting  variables  data.  This 
machine  will  be  used  to  100$  test  all 
semiconductor  devices  used  in  satellite 
hardware,  to  collect  parameter  data 
required  by  the  design  engineers,  and 
to  collect  data  on  the  variations  of 
the  parameters  during  life  testing. 

All  data  will  be  automatically  re- 
corded on  IBM  cards.  Specifications 
are  being  prepared  for  every  electronic 
part  to  be  used  in  satellite  hardware. 
These  specifications  will  require  a 


336 


100$  screening  inspection  by  the 
manufacturer  as  a means  to  weed  out 
those  parts  potentially  destined  to 
early  failure.  10,000  hour  life 
testing  during  lot  sample  inspection 
will  he  a requirement  on  annual  pro- 
curement with  lot  acceptance  based 
upon  the  initial  2,000  hours.  Study 
programs  will  be  implemented  to  develop 
a better  understanding  of  the  appli- 
cation of  critical  parts  such  as 
batteries  and  solar  cells  and  programs 
to  develop  more  reliable  parts 
supported  as  appropriate. 

5.  Pilot  matrix  test  programs  will  be 

carried  out  on  several  parts  to  gain 
an  insight  into  the  required  conditions 
for  life  testing.  It  has  been  the 
Military-Industry  custom  to  divide 
qualification  samples  Into  groups  and 
conduct  life  tests  on  one  group.  Life 
testing  was  ordinarily  conducted  at  a 
constant  temperature  corresponding  to 
the  maximum  rated  temperature  for  the 
part.  In  TRANSIT,  the  parts  will 
experience  30*000  temperature  cycles 
with  excursions  from  a few  degrees  for 
internal  parts  to  upwards  of  l65°F  for 
external  parts.  To  achieve  five  year 
life  in  orbit,  parts  must  be  obtained 
whose  failure  rate  approximates  one 
failure  per  500,000,000  unit  hours  in 
space  after  being  exposed  to  preboost 
environments  and  launched  into  orbit. 

As  a result,  the  conditions  under 
which  life  testing  is  conducted  may  be 
a most  vital  factor  to  ultimately 
achieving  reliability  in  satellite 
hardware . 

6.  A program  to  conduct  matrix-life  tests 

on  electronic  parts  is  being  imple- 
mented to  obtain  the  application  data 
so  vitally  needed  by  the  design 
engineer . 

In  conclusion,  satellite  technology  Is  a 
new.  endeavor  for  mankind  where  the  successful 
operation  of  complex  equipment  for  extended 
periods  of  time  in  the  total  space  environment  is 
a requirement.  As  a result  of  the  many  unknowns 
associated  with  this  new  endeavor,  the  Applied 
Physics  Laboratory  is  making  every  effort  to 
conduct  a program  which  is  balanced  between 
research,  development,  and  engineering  whose 
program  goal  in  reliability  is  to  make  a long 
operational  lifetime  in  orbit  an  inherent 
"designed  in"  characteristic  of  the  TRANSIT 
tactical  satellite. 


337 


OVERALL  SUMMARY  OF  BELL  TELEPHONE  LABORATORIES  PAPERS 


If  there  is  a single  thread  connecting  this 
series  of  papers,  it  is  economics  as  equated  to 
survival.  Reluctant  as  we  seem  to  admit  it,  we 
are  engaged  in  war  with  a remorseless  enemy  who 
knows  what  he  wants.  He  has  said  that  he  will 
"bury"  us.  He  isn’t  fooling.  One  of  his  major 
aims  is  the  destruction  of  our  economy.  If  we 
build  weapons  for  effective  fighting,  but  ignore 
economics  to  the  point  of  national  financial 
collapse,  we  shall  have  presented  this  enemy 
with  the  greatest  bargain-basement  victory  in 
history.  If  we  are  to  survive,  every  system  we 
build  must  be  an  adequate  system;  it  must  be  the 
one  that  will  perform  its  intended  function  at 
the  lowest  possible  total  cost.  First  cost  is 
not  enough,  because  lowest  first  cost  may  involve 
highest  total  cost. 

To  build  these  excellent  systems,  we  must 
pay  whatever  it  costs  to  get  components  with  the 
lowest .attainable  failure  rates.  There  is  no 
apparent  limit  to  the  variety  of  systems  needed 
now,  and  to  be  needed  in  the  future.  However, 
all  systems  employ  the  same  family  of  basic 
components.  We  need  to  do  a thorough  job  of 
controlling  their  manufacture,  inspection  and 
use,  in  order  that  the  highest  reliability  may  be 
obtained.  This  must  be  done  objectively,  and  we 
must  not  accept  political  interference.  Moreover, 
we  must  keep  a careful  watch  for  improvements  on 
old  devices,  and  for  the  appearance  of  new  devices, 
so  that  these  may  be  subjected  to  the  same  con- 
trols. 

Having  the  best  possible  components,  we  must 
choose  the  best  design  tools  and  reliability 
tools.  We  must  develop  a functional  definition 
of  failure  for  our  system,  and  then  must  design 
each  functional  block  so  that  it  will  cease 
working  only  when  one  of  its  parts  fails.  We 
must  provide  our  equipment  with  the  environment 
in  which  its  components  will  actually  give  us  all 
that  we  have  put  into  them.  We  must  seek  simplic- 
ity of  design,  on  the  grounds  that  the  simple 
think  may  work  when  needed;  the  more  elegant 
arrangement  may  be  impossible  to  maintain.  In 
short,  we  must  search  our  concept  for  frills  and 
chop  them  out. 

Having  arrived  at  a preliminary  design,  we 
must  assess  its  reliability  with  care;  and  we 
must  reconsider  the  design  of  any  portion  whose 
ability  to  meet  the  total  performance  goals  does 
not  appear  assured.  Wherever  possible,  design 
must  use  old  building  blocks  of  high  reputation, 
in  order  that  the  most  my  be  realized  from  past 
investments  --  and  that  our  limited  strength  may 
be  husbanded  for  use  where  really  needed. 

There  will  be  times  when  it  will  pay  to  look 
at  an  old  building  block  that  has  not  performed 


well:  It  might  promise  highly-reliable  perform- 

ance if  only  minor  changes  were  to  be  made;  on 
the  other  hand,  it  might  be  a valuable  text  on 
what  to  avoid. 

Design  and  reliability  people  must  strive 
constantly  toward  the  goal  of  economy,  that  is, 
lowest  total  cost  of  finished  equipment.  From 
the  earliest  development,  stages,  we  must  be 
serious  in  our  consideration  of  every  trouble, 
and  in  our  efforts  to  give  the  project  the  very 
best  corrective  feedback.  When  representative 
models  are  available,  they  must  be  tested  ex- 
haustively in  the  closest  possible  simulation  of 
the  final  environment.  And  we  must  continue  the 
process  of  trouble  reporting  and  failure  analysis 
even  into  the  final  use  stage. 

It  has  been  shown  that  a new  equipment 
derives  its  greatest  benefits  from  failure 
analysis  performed  in  the  earlier  stages,  and 
that  the  chances  of  correcting  troubles  diminish 
as  an  equipment  approaches  tactical  use.  But  we 
must  try  to  know  all  we  can,  both  good  and  bad, 
about  each  of  our  offerings  if  there  Is  to  be 
reasonable  hope  that  the  next  one  will  be  a lot 
better  - that  Is,  if  it  is  to  have  a lower  total 
cost. 


339 


THE  ECONOMICS  OF  A RELIABLE  SYSTEM 


L.  N.  St.  James 

Bell  Telephone  Laboratories,  Incorporated 
Whippany,  New  Jersey 


The  Survival  Concept 

If  a single  theme  can  be  extracted  from 
everything  in  the  known  universe,  it  appears  that 
this  pattern  can  be  labeled  survival.  In  the 
animal  kingdom  this  is  particularly  obvious.  All 
normal  individuals  of  every  species  breath 
oxygen,  eat,  propagate  and  each  species  is 
provided  with  a mechanism  of  defense  against  a 
hostile  environment.  The  turtle  has  a hard  shell, 
the  bird  has  wings,  the  rabbit  is  fleet  of  foot. 

In  the  usual  environment,  not  altered  by  man, 
the  rabbit*s  speed  does  not  insure  a particularly 
high  level  of  individual  survival  but  the 
reliability  of  his  propagating  mechanism  is 
generally  adequate  for  survival  of  the  species. 

It  appears  that  the  institutions  invented, 
devised,  or  developed  by  man,  the  home,  the 
family  group,  the  church,  the  corporation,  the 
state,  and  on  up  the  ladder  are  also  structured 
around  the  basic  concept  of  survival. 

Dexter  S.  Kimbal,  a past  dean  of  the 
Engineering  College  at  Cornell  told  every 
freshman  class,  for  years,  that  there  is  nothing 
made  by  man  that  someone  cannot  make  a little  bit 
worse  and  sell  a little  bit  cheaper.  This  is 
survival  at  a low  level,  the  individual  or 
company  level,  or  so  it  would  seem.  Supposedly 
the  cheaper  selling  price  would  attract  more 
sales  in  a competitive  market  and  increase  the 
company *s  profits.  One  cannot  help  but  observe 
a relation  between  the  worse  and  cheaper  concept 
and  survival  under  competitive  bidding  current  In 
military  procurement. 

I learned  of  a small  manufacturer  recently 
who  was  making  electronic  gear,  let  us  say  test 
sets,  on  a military  contract.  He  used  no  MIL 
specification  parts.  His  reply,  when  questioned, 
was  quite  interesting  and  it  would  be  true  as  of 
now.  "These  parts  are  just  as  good  as  MIL  parts, 
they  probably  come  off  the  same  production  line, 
and  they  save  me  about  20 . They  could  have 
come  off  the  same  production  line,  as  MIL 
rejects  perhaps,  or  they  could  have  been  made 
by  a supplier,  much  like  himself,  who' bought  his 
raw  materials  on  the  basis  of  a trade  name  and 
20$  discount. 

Of  course  none  of  us  here  is  in  this  kind 
of  a business;  we  all  appreciate  that  the 
approach  does  not  even  promote  individual 
survival  on  a long  term  basis.  However,  we  do 
have  to  face  a fact  that  has  been  often  dis- 
cussed. The  military  organization  is  required 
to  pay  from  two  to  ten  times  (depending  upon 


the  source  of  the  figures)  the  initial  cost  of  an 
equipment  for  maintenance,  just  keeping  it 
working,  each  and  every  year.  Of  course,  when  an 
equipment  is  being  repaired,  it  is  rot  performing 
its  function,  it  is  not  working.  Therefore, 
another  equipment  is  required  with  its  high 
maintenance  cost  to  take  its  place.  We  actually 
pay  In  two  ways,  we  have  to  buy  two  or  more  equip- 
ments to  do  a single  job  because  the  maintenance 
requirements  are  high.  This  seems  silly  but  we 
are  all  aware  that  it  takes  100  planes  on  a 
carrier  to  put  20  or  25  in  the  air.  If  each  of 
us  had  to  keep  4 or  5 cars  in  our  garage  in  order 
to  drive  to  work  every  morning,  I am  sure  we 
would  collectively  find  some  other  my  of  getting 
to  work,  even  if  it  meant  walk.  Propagation  of 
more  equipments  is  not  as  easy  for  us  as  it  is  for 
the  rabbit  and  this  could  be  a major  factor  in 
the  low  survival  rate  of  equipment  species  in  the 
military  field. 

Sustaining  The  Defense  Structure 

We  are  all  participating  in  one  way  or 
another  in  the  building  and  support  of  a large 
military  establishment.  The  taxes  we  and  our 
companies  pay  buy  the  equipments  and  maintain 
them.  Curiously  enough,  much,  in  seme  instances 
all,  of  our  personal  income  and  our  companies* 
profits  derive  from  the  military  purchases  of  new 
equipments,  parts  for  maintenance  and  In  a few 
instances  maintenance  and  operation  contracts. 

This  looks  something  like  a closed  loop. 

Obviously  it  cannot  be  closed  since  out  of  these 
taxes  must  also  come  a whole  host  of  costs  for 
such  things  as  government,  management  and  labor 
which  would  make  taxes  far  exceed  income  and 
profit  if  the  loop  were  in  fact  closed.  This 
loop  must  be  supplied  with  energy  from  an  external 
source  which,  in  a restricted  sense  can  be 
translated  into  dollars.  This  source  can  only 
be  the  general  economy,  the  consumer  goods 
industry.  We  are  all  interested  in  our  individual 
survival,  our  companies*  survival,  and  rightly  so 
but  if  the  dollars  that  can  be  drained  from  the 
general  economy  are  not  sufficient  to  build  and 
maintain  an  adequate  military  establishment,  the 
country  itself  cannot  survive.  It  is  necessary, 
therefore,  that  we  direct  a major  effort  toward 
this  higher  level  of  survival  in  order  to  make 
possible  our  individual  survival.  It  is  not 
someone  else*s  job,  it  is  our  job.  The  cost  of 
our  defense  structure  must  be  reduced. 


The  Reliability  Concept 


If  we  look  hack  into  history  a little , ve 
find  that  some  30  years  ago,  the  concept  of 
quality  control  -was  introduced  as  a producer  *s 
tool  to  enable  management  to  know  what  his  shop 
was  doing*  This  resulted  in  a better,  more 
uniform  product  at  a lower  cost,  Shortly 
thereafter,  the  basic  tools  of  quality  control 
were  expanded  into  a much  broader  concept,  a 
consumer  function  which.  In  the  Bell  System 
acquired  the  name  Quality  Assurance*  This 
function  can  be  delegated  and,  in  the  Bell  System, 
in  fact  it  is  delegated  to  a separate  organiza- 
tion in  the  Bell  Telephone  Laboratories  which  is 
even  funded  separately  from  the  rest  of  the 
Laboratories*  This  organization  Is  charged  with 
the  responsibility  of  providing  assurance  to  the 
separate  Telephone  Companies  that  they  are  being 
supplied  with  equipments  adequate  for  their  needs 
at  the  lowest  possible  total  cost.  Total  cost, 
of  course,  includes  initial  cost,  maintenance 
cost,  operating  cost,  etc.  So  far,  there  has 
been  no  need  for  a separate  Reliability  Organiza- 
tion on  the  Bell  System  side  of  the  house* 

In  the  military  picture  some  years  ago, 
equipments  were  getting  more  and  more  complicated* 
Much  of  It  was  down  much  of  the  time;  it 
required  huge  stocks  of  spares  and  considerable 
time  to  maintain;  but  most  important,  at  least  so 
it  appeared,  it  could  not  be  counted  upon  when 
needed*  Reliability  looked  like  a panacea  to 
cure  all  these  ills  10  years  ago.  Mow,  we  not 
only  have  Reliability,  but  we  have  maintain- 
ability, human  engineering  and  value  engineering 
and  who  knows  what  will  he  added  next  week,  or 
next  year.  My  guess  is  that  the  job  will  not  be 
done  until  one  of  these  specialities  takes  over 
the  responsibility  of  demonstrating  to  the  user 
that  he  is  getting  equipments  adequate  for  his 
needs  at  the  lowest  possible  cost.  Are  the 
people  in  Reliability  big  enough  to  assume  this 
obligation?  Some  one  must  assume  it  if  the 
country  is  to  survive  and  few  will  question  that 
individual  survival  is  contingent  upon  survival 
of  our  country,  our  institutions  and  on  down  the 
ladder* 

Reliability  Definition 

A few  years  back,  the  AGREE  Committee 
produced  a definition  for  Reliability  with  which 
everyone  is  familiar:  "Reliability  is  the 

probability  that  a system  will  perform  its 
intended  function  for  a specified  time  under 
specified  conditions  of  use".  Where  is  cost  in 
this  definition?  The  definition  is  useful 
because,  with  certain  assumptions  that  are  now 
unreasonable,  it  can  be  specified,  measured  and 
demonstrated.  Furthermore,  if  you  bring  in 
confidence  you  can  give  the  statisticians  a field 
day.  So  we  all  have  fun  but  the  user  has  to  put 
in  three  systems  where  he  needs  one  and  he  has  to 
pour  out  several  times  the  cost  of  each  and  every 
one  annually  to  keep  one  working  all  the  time. 

This  gave  birth  to  another  definition,  availabil- 
ity. This  Is  defined  as: 


q + 

where  0 ^ mean  time  between  failures 

0^  = mean  time  required  to  restore 
normal  operation  * 

Still  no  dollars.  Also  a cursory  inspection  of 
this  formula  indicates  that  a very  high  availa- 
bility can  be  obtained  with  a small  mean  time  be- 
tween failures  provided  that  the  repair  time  is 
short  enough.  Automatic  Identification  and  large 
plug-in  units  will  accomplish  this. 

I should  like  to  take  this  up  later  but,  in 
the  mean  time  I will  propose  a definition  for  an 
adequate  system. 

An  Adequate  System 

An  adequate  system  is  the  lowest  total  cost 
system  that  will  do  what  the  user  expects  it  to 
do  whenever  called  upon* 

I would  further  propose  that  reliability 
engineers  and  reliability  organizations  orient 
their  thinking  and  methods  of  approach  so  as  to 
provide  the  user  with  assurance  of  adequate 
systems.  A process  for  accomplishing  this  can 
be  defined  rather  easily  but  its  actual 
implementation  by  cook  book  methods  remains  to 
be  developed*  Figure  1 gives  a diagrammatic 
version  of  the  evolution  of  a system. 

1.  Derivation  of  Intended  Function 

It  is  necessary  to  assume  that  some  specific 
problem  exists  and  that  a decision  has  been  made 
to  develop  a system  complex  to  solve  this 
problem*  The  first  obligation,  then,  is  to 
derive  the  Intended  Function  for  the  system 
complex.  It  is  probably  easiest  to  convey  the 
meaning  of  Intended  Function  by  considering  a 
simple  example.  Assume  that  the  Intended  Function 
Is  to  detect  certain  types  of  targets  appearing  at 
some  maximum  rate,  at  some  maximum  density,  at 
some  specific  velocity  and  with  a specific  lethal 
power,  A complete  statement  of  the  Intended 
Function  would  embody  a description  of  the  target, 
assigning  numbers  to  all  such  quantities  as  the 
maximum  rate  of  appearance,  density  of  attack, 
velocity  and  lethal  power  with  the  addition  of 
the  operating  environment  of  the  proposed  system 
complex. 

2.  Derivation  of  Design  Intent 

In  order  to  derive  Design  Intent  for  a 
single  system  it  is  necessary  first  to  establish 
the  general  class  of  technical  means*  In  the 
assumed  example  It  will  be  radar.  The  rather 
general  terms  of  the  Intended  Function  such  as, 
description  of  target,  velocity  and  lethal  power 
are  translatable  into  Performance  Characteristics, 
of  the  radar,  such  as  range,  sensitivity  and  rate 
of  data  acquisition  while  the  assumed  density  of 
the  attack  is  translatable  into  number  of  radars 
required* 


This  is  completely  orthodox  but,  if  we  are  to 
think  in  terms  of  Adequacy  from  the  user's  stand- 
point we  should  go  much  further*  Design  intent 
can  be  considered  best  by  dividing  into  two  basic 
areas  which  are*  in  turn,  subdivided* 

A*  Operational  Capability 

( 1 ) Fe r f ormanc e Char act e r is tics 

(2)  Mission  Reliability 

(3)  Availability 

B*  Total  Cost 

(1)  First  cost  of  a system 

(2)  Installation  cost  of  a system 

3)  Cost  of  operation  of  a system 

4)  Cost  of  maintenance  of  a system 
(5)  Number  of  systems  required  to  solve 

the  total  problem* 

Obviously,  A,  the  operational  capability  required 
of  a system  cannot  be  formulated  until  the 
Intended  Function  of  the  proposed  system  complex 
is  well  established.  Equally  obvious;  the  total 
cost,  B,  cannot  be  determined  until  the  operational 
capability  is  at  least  tentatively  established,  and 
thirdly,  it  is  evident  that  there  are  a number  of 
possible  solutions,  only  one  of  which  optimises 
all  factors,  at  any  stage  of  technical  development 
including  total  cost*  Only  after  this  has  been 
done  is  it  possible  to  work  out  the  detailed 
system  design  (Product  Design)  with  any  assurance 
that  it  will  solve  the  user's  problem  at  the 
lowest  possible  cost*  The  rest  of  Figure  1 will 
be  discussed  in  later  papers* 

In  recent  years  we  have  come  to  see  Mission 
Reliability  and  Availability  requirements  in 
procurement  specifications,  usually  in  terms  of 
their  basic  parameters,  mean  time  between  failures 
and  mean  time  required  to  repair*  This  is  wrong. 
Unless  these  requirements  have  been  derived  from 
the  Operational  Capability  and  total  cost  study 
just  described  under  Derivation  of  Design  Intent, 
they  are  likely  to  contribute  little  to  relieving 
the  current  situation  where  it  costs  many  times 
the  initial  cost  each  year  to  keep  a system 
complex  working* 

Economic  Factors 

A number  of  years  ago  during  the  preliminary 
skirmishes  with  the  ZEUS  data  processing  system 
it  became  evident  that  we  were  rapidly  approaching, 
if  we  had  not  already  passed,  some  kind  of  a limit. 
The  system  would  work,  but  it  is  doubtful  if  it 
would  all  work  long  enough  at  any  one  time  to 
demonstrate  that  it  actually  was  working-  This 
forced  a concerted  drive  in  two  directions; 

1,  Develop  component  parts  with  a lower 
inherent  failure  rate. 

2*  Design  circuits  that  will  make  full  use 

of  the  inherent  failure  rates  of  component 
parts . 


Circuits  could  no  longer  he  tolerated  which 
would  fail  to  perform  their  function  before  at 
least  one  component  part  had  failed*  This  drive 
was  not  forced  by  economic  considerations  but  two 
major  economic  conclusions  derive  from  it, 

1*  The  total  cost  of  a system,  considering 
first  cost  and  annual  maintenance  cost, 
continues  to  decrease  as  the  failure 
rate  of  component  parts  decreases. 

2*  We  can  afford  to  spend  far  more  than  is 
common  practice  to  insure  that  each 
circuit  in  a system  makes  full  use  of 
the  inherent  failure  rate  of  its  component 
parts. 

The  first  economic  conclusion  will  be  sub- 
stantiated here  but  the  second  will  be  left  for 
the  next  paper  covering  v System  Reliability 
Estimation". 

At  least,  as  far  as  this  has  been  explored 
to  date,  the  total  cost  of  a system  to  the  user 
continues  to  decrease  as  component  part  failure 
rates  are  reduced-  It  seems  unlikely  that  this 
decrease  will  continue  indefinitely  and  an 
extrapolation  of  actual  cost  data  indicates  that 
an  increase  in  total  system  cost  can  he  expected 
around  an  average  part  failure  rate  of  *0005$  per 
1000  component  part  hours  due  to  an  Increase  in 
component  part  cost. 

Component  Part  Cost 

Figure  2 shows  the  relative  cost  of  a trans- 
istor as  a function  of  failure  rate  in  per  cent 
per  1000  component  part  hours.  At  the  far  right 
we  have  the  ordinary  commercial  grade,  29^  each 
in  lots  of  1000,  special  discounts  in  larger 
lots*  Around  .05  or  a little  less  we  have  the 
high  reliability  MIL  specification  transistors. 

This  was  the  grade  that  we  could  not  conceivably 
use  In  the  ZEUS  data  processing  system.  Develop- 
ment work  in  the  design  of  a suitable  transistor, 
methods  of  manufacture  and  an  extensive  testing 
program  were  undertaken  simultaneously,  In  the 
first  stabilization  of  this  process  cost  versus 
failure  rate  appeared  to  follow  the  broken  curve 
(l).  However,  as  the  design  and  production 
processes  matured  and  output  increased,  costs 
dropped  and  the  curve  merged  into  the  line  defined 
by  the  other  points.  With  further  increases  In 
production,  the  cost  might  well  fall  below  this 
line  but  the  solid  line  is  all  that  is  known  at 
present.  Now  if  this  experience  is  extrapolated 
to  a -0001  failure  rate  the  highest  cost  we  could 
anticipate  is  represented  by  the  broken  curve  (2), 
the  most  likely  cost  by  an  extension  of  the 
straight  line*  The  failure  rates  on  the  solid 
straight  line  are  actual  failure  rates  observed 
in  systems  installed  in  the  field. 

It  is  not  Intended  to  suggest  that  we  are 
the  only  ones  sparking  a lowering  of  component 
part  failure  rates.  This  Is  a rather  general 
situation  forced  by  large  system  complexes. 

Figure  3 shows  relative  cost  versus  failure  rate 


for  capacitors  and  resistors.  Although  these 
component  parts  are  used  in  the  ZEUS  Data  Pro- 
cessing system,  the  component  development  work 
was  done  by  others.  The  failure  rates  are  again 
those  observed  in  systems  in  the  field.  Curiously 
enough,  these  curves  are  also  straight  lines  but 
if  we  knew  more  of  the  details  they  would  probably 
show  the  same  turn  up  on  the  left  during  the  early 
phases  that  was  previously  shown  for  transistors. 

System  Cost 

Figure  4 shows  relative  system  cost  as  a 
function  of  the  average  component  part  failure 
rate.  Down  to  about  .001  failure  rate  in  per  cent/ 
1000  component  part  hours  these  relative  costs  are 
derived  from  actual  costs  and  in  the  extrapolation 
to  .0001  they  are  based  upon  the  expected  cost 
increase  shown  for  transistors. 

Annual  System  Cost 

Figure  5 shows  annual  cost  curves  for  a 
system  as  a function  of  component  part  failure 
rate.  The  lowest  curve  shows  annual  maintenance 
cost.  This  requires  some  explanation.  The  replace- 
ment unit  in  the  ZEUS  Data  Processing  system  is 
known  as  the  D unit  which  contains,  on  the  average 
150  A packages.  Failure  of  a D unit  is  indicated 
automatically  and,  in  the  basic  system  concept,  a 
new  unit  can  be  substituted  from  stock  in  minutes. 

D units  are  repaired  on  site  by  locating  and 
replacing  the  failed  A packages.  Annual  mainte- 
nance cost  per  system,  therefore,  includes  (l)  the 
cost  of  the  A packages  needed  for  replacement, 

(2)  the  cost  of  maintaining  a stock  of  D units, 
their  repair  and  test,  and  (3)  the  cost  of  their 
replacement  in  a system;  all  multipled  by  the 
number  of  replacements  required  per  year.  The 
number  of  replacements  is  determined  from  the 
component  part  failure  rate.  Continuous  operation 
is  assumed  in  this  estimate  which  is  the  expected 
situation.  Actual  cost  of  the  replacement  parts 
does  not  contribute  very  much  to  the  total  main- 
tenance cost  until  very  low  failure  rates  are 
reached  so  the  total  maintenance  cost  is 
essentially  proportional  to  failure  rate  except 
at  the  lower  end  of  the  curve. 

The  other  three  curves  show  the  total  annual 
cost  which  is  obtained  by  combining  the  initial  cost 
of  the  system  with  the  annual  maintenance  cost. 

The  upper  curve  is  for  a system  with  a life  of  one 
year.  It  is  bought,  operated  and  maintained  for 
one  year  and  then  discarded.  Actually,  no  one 
contemplates  building  systems  with  a one  year  life 
but  showing  this  curve  does  enable  us  to  see  at  a 
glance  how  little  the  first  cost  of  a system 
contributes  to  the  total  annual  cost  when  the 
usable  failure  rate  of  component  parts  is  high. 

For  instance,  if  it  is  known  that  a system  costs 
about  10  times  as  much  annually  to  keep  it  working 
as  it  costs  to  buy  it  initially,  this  curve  can 
be  scanned  and  it  is  seen  that,  where  the  relative 
annual  maintenance  cost  is  380,  the  total  cost  is 
420.  The  difference,  40,  is  the  first  cost  of  one 
system.  It  is  evident,  since  40  is  approximately 
one  tenth  of  38O  that  a system  that  costs  10  times 


its  initial  cost  to  keep  going  for  a year  has  an 
average  effective  component  part  failure  rate  of 
.04$  per  1000  component  hours.  This  is  very  close 
to  the  failure  rate  of  high  reliability  MIL 
Transistors,  but  it  is  somewhat  higher  than  for 
high  reliability  resistors  or  capacitors  in  well 
designed  circuits. 

Similarly,  if  the  failure  rate  actually 
realized  by  the  system  can  be  reduced  to  <01,  a 
relatively  small  reduction,  the  annual  maintenance 
cost  now  equals  the  system  first  cost. 

Now,  if  we  really  go  all  out  to  an  average 
component  part  failure  rate  of  .001  and  design 
systems  to  make  full  use  of  this  low  rate,  annual 
maintenance  cost  is  only  one  twentieth  of  the 
first  cost  of  the  system. 

The  two  middle  curves  are  of  greater  Interest 
because  they  represent  the  actual  total  cost 
situation.  The  5 year  curve  applies  to  a single 
system  with  a 5 year  life,  so  one  fifth  of  the 
initial  system  cost  is  added  to  the  annual 
maintenance  cost  to  obtain  the  total  annual  cost. 
It  can  be  seen  that  this  total  cost  curve  turns 
up  at  an  average  component  part  failure  rate  of 
.001.  It  can  be  concluded,  therefore,  that  if 
such  a short  life  is  desired  for  some  reason,  the 
system  need  only  be  designed  to  make  full  use  of 
parts  with  a failure  rate  of  .001$  per  100  compo- 
nent part  hours. 

In  the  lower  curve,  for  a 20  year  system,  the 
minimum  cost  point  is  at  .0003.  The  ratio  between 
the  annual  cost  of  the  minimum  cost  5 year  system 
and  the  minimum  cost  20  year  system  is  50:l8, 
nearly  3 to  one'.  Of  course,  there  is  some  doubt 
if  component  parts  with  a failure  rate  of  .0003 
are  actually  available  but  the  3 to  1 gain  makes 
them  well  worth  going  after.  Also,  this  does 
make  us  wonder  if  there  is  any  rational  reason 
for  knowingly  designing,  building  and  buying  a 
system  with  a 5 year  life. 

Annual  System  Complex  Cost 

Now  I should  like  to  return  to  the  accepted 
formulation  of  availability. 

Availability  is  defined  as: 

A = 6 

© + eR 

where:  9 « mean  time  between  failures 

@R  = mean  time  to  restore  normal 
operation. 

It  is  evident  that  it  is  not  the  actual 
value  of  the  repair  time  that  is  significant  in 
determining  availability  but  it  is  its  relation 
to  the  mean  time  between  failures. 

Suppose,  for  example,  that  for  the  solution 
of  some  particular  defensive  problem,  a single 
working  system  is  required.  The  system  selected 


has  an  availability  of  0.8,  Now  if  we  will  he 
satisfied  with  defensive  coverage  99$  of  the  time, 
and  using  the  binomial  for  calculation*  we  must 
purchase*  install  and  maintain  three  systems 
where  only  one  is  actually  required  at  any  one 
time.  This  represents  a tripling  of  total  cost 
made  necessary  because  the  system  has  not  been 
designed  to  really  do  the  required  Job,  The 
system  is  not  adequate* 

Now  suppose  that  by  considerable  design 
effort  the  availability  is  raised  to  0*9*  With 
the  same  assumptions  as  previously  made*  two* 
instead  of  three  systems  are  now  required  to 
assure  coverage  at  least  99$  of  the  time.  This 
requires  doubling*  rather  than  tripling  the  total 
cost*  a substantial  Improvement  which  would  justify 
paying  considerably  more  for  a single  system. 

However ? if  we  look  at  the  problem  from  the 
high  level  survival  point  of  view*  can  we  really 
convince  ourselves  that  any  system  with  an 
availability  of  less  than  99$  is  in  fact  adequate 
to  do  the  required  job?  We  should  not  have  to 
purchase*  install  and  maintain  two  or  three 
systems  where  only  one  is  required.  And  what  is 
even  more  true*  we  can  afford*  on  a total  survival 
basis*  to  pay  handsomely  for  this  one  really 
adequate  system. 

Availabilities  of  99$  are  not  by  any  means 
impossible.  If  we  look  at  the  structure  of  the 
formula*  it  is  only  necessary  to  so  design  the 
system  that  the  time  to  restore  normal  operation 
is  one  one-hundredth  of  the  mean  time  between 
failures.  There  are  two  avenues  of  approach 
which  will*  conceptually  at  least*  achieve  this 
100  to  1 ratio. 

1,  Increase  the  mean  time  between  failures. 

2.  Decrease  the  mean  time  required  to 
restore  normal  operation. 

If  the  second  method  Is  chosen*  this  will 
invariably  lead*  in  a large  system*  to  large 
plug-in  assemblies  and  automatic  trouble  location 
of  such  defective  assemblies.  It  will  hardly 
ever  be  economical  to  discard  these  large  assem- 
blies so  provision  must  be  made  for  on  site  repair 
and  adequate  stocks  to  Insure  that  the  needed  good 
replacements  are  always  available-  The  actual 
maintenance  load*  therefore*  has  not  been 
decreased  but  an  additional  cost  has  been 
incurred  by  the  need  for  stocking  and  periodic 
testing  of  large  replacement  assemblies.  This* 
therefore*  is  the  less  desirable  method  of 
securing  a 99$  availability  and  it  should  be  used 
only  after  the  first  method  has  been  fully  ex- 
ploited. 

Figure  6 Illustrates  the  magnitude  of  gain 
possible  by  fully  exploiting  the  first  method. 

This  chart  is  derived  from  the  total  system 
cost  (Figure  5)  previously  used  in  order  to  show 
the  effect  on  total  cost  to  the  user  of  a system 
complex.  The  relative  cost  on  the  ordinate  has 
3 scales  the  first  for  single  system  availability 


of  0,8  the  second  for  0,9  and  the  third  for  O.99. 
It  has  previously  been  stated  that  the  maintenance 
cost  is  not  greatly  changed  by  increasing  the 
availability  If  this  is  done  only  by  decreasing 
the  time  required  to  restore  the  system  to  normal 
operation.  Therefore*  since  It  takes  two  systems 
to  do  the  job  of  one  if  the  availability  is 
reduced  from  0,99  to  0.9  and  three  to  do  the  job 
of  1 If  availability  goes  to  0.8*  our  total  cost 
to  the  user  of  the  system  complex  is  multiplied 
by  2 and  3 respectively. 

Consider  an  example  of  an  exceptionally  well 
designed  system  which  makes  full  use  of  component 
parts  having  an  average  failure  rate  of  .01$  per 
1000  component  part  hours  and  intended  for  20 
year  life.  Assume*  further  that  the  annual  total 
cost  for  such  system  is  $100*000,  However* 
because  the  availability  of  the  system  Is  only 
0.8  it  requires  three  systems  in  any  complex  to 
do  the  job  of  one.  The  total  system  complex 
cost*  therefore*  is  $300*000  annually.  Now  if 
this  system  is  redesigned  to  make  full  use  of 
parts  having  an  average  failure  rate  of  .001  the 
annual  total  cost  per  system  will  be  reduced  to 
$20*000.  This*  of  course*  brought  the  mean  time 
between  failures  up  to  10  times  the  Initial  value 
which*  of  itself*  raised  the  availability  from 
0.8  to  better  than  ,95.  Bringing  in  the  second 
method  of  raising  availability*  a little  further 
work  along  the  lines  of  large  plug-ln  assemblies 
and  simplified*  perhaps  semi-automatic  trouble 
location  can  lower  the  time  required  to  restore 
normal  operation  and  Increase  the  availability  to 
O.99.  Then  only  one  Bystem  is  needed  to  do  the 
job  formerly  done  by  three  systems. 

Itemizing  these  numbers; 

The  total  cost  before  redesign  - $300*000  per  year 
Total  cost  after  redesign  - $ 20*000  per  year 

Saving  - $280*000  per  year 

It  looks  possible  to  drop  our  defense  costs 
associated  with  system  supply  and  maintenance  to 
7 or  8 per  cent  of  what  they  now  are  if  everyone 
Is  put  on  the  team  and  plays  the  same  game* 
survival. 

It  should  be  stressed  again  that  we  not  only 
have  to  develop  and  make  available  component 
parts  with  inherent  failure  rates  approaching 
.0001$  per  thousand  component  part  hours  but  we 
also  have  to  learn  how  to  design  systems  that  will 
actually  realize*  in  operation,  these  lower 
failure  rates. 

Conclusions 

Reviewing  this  discussion*  we  have  endeav- 
ored to  establish  that; 

1.  Our  individual  survival*  our  companies* 1 
survival  and  on  up  the  ladder  depends 
upon  the  survival  of  our  country  which 
In  turn  is  contingent  upon  an  effective 
military  establishment. 


345 


2*  An  effective  military  establishment 
depends  upon  adequate  systems. 

An  adequate  system  can  be  defined  as  the 
lowest  total  cost  system  that  will  do  what  the 
user  expects  it  to  do  whenever  called  upon, 

3*  System  performance  characteristics. 

Mission  Reliability  and  availability  are 
not  of  themselves  adequate  goals*  The 
true  goal  is  a system  complex  that  will 
perform  its  intended  function  at  the 
lowest  possible  total  cost* 

k.  This  true  goal  can  be  attained  by, 

(a)  accepting  the  cost  of  pushing  compo- 
nent failure  rates  ever  lower  and  (b) 
accepting  the  cost  of  designing  systems 
that  will  fully  realize  these  lower 
failure  rates. 


346 


system  evolution 


3^7 


USE 


components 

transistors 


components 

resistors  and  capacitors 


initial  system  cost 


o 


i i i 


o 

o 

o 


o 

o 


aasn  am  01  aauaAnaa 

"iso3  NoiiDnaoad  aAiiviau 


350 


0001 L .001  .01 

FAILURE  RATE 

(%  PER  T000  COMPONENT  PART  HRS) 


system 

total  annual  cost 


o 

oo 

o 

o 

o 

o 

ctco 

o 

o 

o 

ct 

*" 

W31SAS -SJLSOD  3AI1V13H 


351 


system 

total  annual  cost 


352 


system  complex 

total  annual  cost 


353 


.0001  .001  .01 
AVERAGE  COMPONENT  PART  FAILURE  RATE 

1%  PER  1000  COMPONENT  PART  HRS) 


SYSTEM  RELIABILITY  ESTIMATION 


L.  IS*  St*  James 
Bell  Telephone  Laboratories 
Whippany,  Rev  Jersey 


Introduction 

It  is  essential  that  some  device,  process  or 
method  be  available  for  estimating  the  reliability 
and  availability  of  a system  even  when  the  system 
is  only  in  the  conceptual  stage*  This  is  not  be- 
cause reliability  and  availability  are  in  them- 
selves end  points  but  because  these  factors  must 
be  known  to  a high  degree  of  accuracy  if  an  honest 
attempt  is  to  be  made  to  provide  the  user  with  a 
truly  adequate  system* 

The  previous  paper  defined  an  adequate  system 
as  the  lowest  total  cost  system  which  will  do  what 
the  user  expects  it  to  do  whenever  called  upon* 

Also,  in  the  light  of  the  economic  considerations 
developed  therein,  we  can  put  this  definition  into 
an  operational  form  which  fully  covers  the  concept 
of  "adequacy"* 

An  Adequate  System 

An  adequate  system  is  one  that  makes  use  of 
component  parts  having  the  lowest  possible  inherent 
failure  rate  and  is  so  designed  as  to  actually  real- 
ize  this  failure  rate  in  normal  use* 

This  is  a fundamental  and  basic  criterion  for 
adequacy,  necessary  but  noc  necessarily  sufficient* 

The  second  almost  axiomatic  rule,  developed 

was ; 

A system  should  be  designed  so  as  to  have  an 
availability  of  at  least  99$* 

It  is  only  by  designing  and  manufacturing  a 
system  so  that  it  is  ready  to  perform  its  Intended 
Function  substantially  all  the  time,  that  we  can 
avoid  installing  several  systems  when  one  system 
is  needed  at  any  one  time* 

Referring  to  Figure  1,  the  estimation  process 
makes  use  of  factors,  such  as  effective  circuit 
margins  and  general  adequacy  of  design  obtained 
from  the  use  phase  of  earlier  systems*  These 
factors  enter  into  the  estimates  developed  for  a 
proposed  system  first  in  the  Design  Intent  phase 
and,  later  as  design  matures,  into  the  Product 
Design  phase* 

In  order  to  further  define  the  reliability 
estimation  problem  and  place  it  in  proper  per- 
spective, it  is  desirable  to  repeat  the  definition 
of  Design  Intent.  This  was  subdivided  as  follows: 


A*  Operational  Capability 

1-  Performance  Characteristics 
£,  Mission  Reliability 
3.  Availability 

B*  Total  Cost 

I*  First  cost  of  a system 
2.  Installation  cost  of  a system 
3*  Cost  of  operation  of  a system 
4 4 Cost  of  maintenance  of  a system 
5*  Number  of  systems  required  to  solve 
the  total  problem 

Obviously,  if  we  are  to  weigh  various  solu- 
tions to  a given  problem  in  terms  of  system  per- 
formance characteristics,  mission  reliability 
and  availability  and  evaluate  these  in  terms  of 
the  various  components  of  total  cost  to  the  user, 
we  must  have  estimates  of  reliability  and  avail- 
ability at  least  as  good  as  the  estimates  of 
performance  and  costs.  After  the  Intended  Func- 
tion of  a system  has  been  established  and  the 
actual  design  begins  to  develop,  the  estimating 
procedure  must  have  within  itself  provisions  for 
keeping  it  continuingly  abreast  of  the  system  de- 
sign. Only  by  such  a process  will  it  be  possible 
to  know  in  time  to  effect  significant  and  neces- 
sary changes  in  the  developing  system  concept 
whether  or  not  reliability  objectives  are  being 
jeopardized. 

Reliability  Estimation  Process 

The  estimation  of  the  mission  reliability 
and  availability  of  an  electronic  system  are 
currently  based  upon  a number  of  reasonable 
assumptions.  Mission  reliability  is  defined  in 
the  customary  manner  by: 

- c-t  ) 

P ^ exp 

where;  P is  the  probability  of  success  for  a 
mission  time  t 

$ is  the  meantime  between  failures  of  the 
system  or  the  reciprocal  of  the  failure 
rate  * 

Assumptions 

Implicit  in  this,  of  course,  is  the  first 
assumption*  The  times  between  failures  are  dis- 
tributed exponentially  or,  stated  another  way, 
the  failure  rate  of  the  system  remains  essentially 


355 


constant  during  its  useful  life,  This,  in  itself , 
is  perhaps  among  the  least  questionable  of  the 
assumptions  required  by  the  estimation  process. 

In  order  for  the  probability  of  success  so  deter- 
mined to  have  any  real  meaning  to  the  user  oper- 
ating the  system,  lack  of  success,  or  failure  must 
be  defined  in  terms  of  the  Intended  Function  of 
the  system.  This  requires  a second  assumption. 
There  is  a sharpy  identifiable  line  of  deraarkation 
between  a system  capable  of  performing  its  intended 
function  and  one  that  is  not  so  capable. 

In  an  extreme  case,  loss  of  prime  power  on  a 
radar  obviously  causes  radar  failure-  It  is  com- 
pletely open  and  shut*  there  is  no  question. 

However s consider  a radar  whose  Intended  Function 
is  to  detect  a target  of  some  minimum  effective 
cross  section  at  some  maximum  distance  and  es- 
tablish a track  in  some  maximum  time.  There  are 
obvious  reasons  for  requirements  of  this  sort  such 
as  the  necessity  to  engage  a target  sufficiently 
far  from  its  objective  so  that  it  will  not  do  just 
as  much  damage  as  it  would  have  if  it  actually 
reached  its  objective.  Also,  but  perhaps  less 
obvious,  detection  and  establishing  a track  under 
limit  conditions  are  not  open  and  shut  but  are 
associated  with  a probability.  This  probability 
may  be  nearly  unity  or  it  may  be  5056  or  less  de- 
pending upon  the  system  designer's  embodiment  of 
the  Intended  Function  in  his  concept  of  Design 
Intent , 

Now  consider  degradation  of  the  loop  gain  of 
the  transmitter-receiver  of  * say,  3 db,  6 db,  10  db, 
etc.  This  is  definitely  a reliability  considera- 
tion but  where  does  It  fit  in  the  basic  definition 
of  mission  reliability?  The  truth  Is,  it  does  not 
fit  until  some  arbitrary  definition  of  radar  fail- 
ure Is  set  in  terms  of  a supposedly  rational 
interpretation  of  the  Intended  Function  and  Its 
embodiment  in  Design  Intent,  This  leaves  con- 
siderable latitude  for  the  worse  and  cheaper 
contingent  to  provide  a radar  with  a very  high  cal- 
culated mission  reliability  that  will  hardly  ever 
do  what  the  user  expects  of  it.  It  is  little 
wonder  that  the  term  numbers  racket  has  been 
applied  to  reliability  estimation. 

In  contrast,  consider  the  effect  on  a digital 
data  processing  system  associated  with  this  radar. 
It  is  composed  of  many  thousands  of  logic  elements 
and,  in  the  usual  reliability  calculations , the 
failure  rates  of  all  logic  elements  are  added  to 
determine  the  total  failure  rate  of  the  entire 
data  processing  system.  Now  in  calculating  a 
single  track  from  data  supplied  by  the  radar  and 
performing  other  manipulations  required  by  the 
overall  system,  only  a small  fraction  of  these 
logic  elements  are  used.  The  failure  rate  for  the 
data  system  therefore,  is  pessimistic,  much  too 
high.  This  can  compensate  for  a too  optimistic 
definition  of  success  in  the  radar  case  and  it  Is 
this  sort  of  thing  that  permits  the  numbers 
racket  to  get  even  close  to  the  true  situation  if 
used  with  discretion. 

In  looking  at  the  mission  reliability  esti- 
mation process  from  the  bottom  up  Instead  of  from 


the  top  down,  a third  assumption  has  obviously 
been  made.  Any  large  homogeneous  population  of 
like  component  parts  has  an  inherent  failure  rate 
which  can  be  considered  to  be  essentially  constant 
during  the  expected  life  of  the  system.  This  Is 
certainly  not  tenable  for  wear  out  Items , such  as 
magnetrons  and  large  klystrons.  However,  a system 
actually  comprises  heterogeneous  mixtures  of  com- 
ponent parts  and,  with  replacement  of  failed  parts, 
the  system  approaches  a constant  failure  rate. 

The  fourth  assumption  is  that,  in  any  system, 
these  inherent  failure  rates  are  completely  In- 
dependent and  therefore  they  can  be  added  to  get 
what  we  might  think  of  as  the  lowest  achievable 
failure  rate  of  the  system. 

Failure  Definition 

It  is  probably  best  to  consider  the  effect 
of  the  third  and  fourth  assumptions  on  system 
reliability  estimation  jointly  since  they  in- 
teract very  strongly  in  the  estimation  process* 

We  are  first  faced  with  the  usual  problem , what 
Is  a failure?  In  the  component  part  field*  a 
failure  Is  seldom  defined  as  a resistor  becoming 
open  or  short  but  it  Is  usually  defined  as  a 
change  in  one  or  more  of  the  important  parameters 
of  a component  in  excess  of  a specified  amount. 
Definition  of  change  as  a failure  carries  over 
into  the  extensive  life  tests  many  of  us  have 
run  over  the  years  and  It  is  exceeding  some 
maximum  change  limit  that  we  call  a failure. 

The  Inherent  failure  rate,  then*  Is  in  fact 
based  upon  a change  greater  than  some  arbitrary 
limit. 

In  line  with  the  fourth  assumption  these 
failure  rates  are  added  to  get  the  lowest 
achievable  failure  rate  for  a system.  We  look 
upon  this  simple  addition  as  giving  a goal  that 
can  be  approached  by  a physical  system  but  can- 
not actually  be  fully  attained.  If  we  concern 
ourselves  only  with  meeting  some  mission  re- 
liability goal  we  need  go  no  further  than  to 
decide  upon  some  multiplier  for  this  lowest 
achievable  failure  rate  to  give  us  the  expected 
system  failure  rate.  This  expected  failure  rate 
multiplier  can  be  determined  from  a review  of  the 
past  performance  of  the  design  group  involved 
together  with  a study  of  the  current  design. 

This  has  proved  to  be  a satisfactory  method  In 
the  past.  If  It  is  only  necessary,  then,  to 
meet  some  stated  mission  reliability  objective 
we  can  conceivably  sign  off  even  though  the 
multiplier  may  be  1 0 or  even  higher.  Stopping 

at  this  point  has  certain  attractive  features, 
a relatively  minor  one  being  that  it  reduces  the 
importance  of  the  fourth  assumption  concerning 
the  independence  of  component  part  failure  rates 
which  justifies  their  addition.  The  most 
attractive  feature,  of  course,  is  that  it  permits 
the  designer  to  carry  over  from  earlier  designs, 
concepts,  solutions  and  even  circuits  and  sub- 
systems without  anyone  concerning  himself  with 
improving  their  failure  rates.  This  saves 
development  time  and  cost  but  is  exceedingly 

expensive  to  the  user  and,  from  an  overall  stand- 
point, nonsurvival* 


356 


requirement  of  100  systems  this  limit  becomes  800 
and  for  the  1000  systems  it  becomes  80OO-  One 
system  does  not  even  show  on  the  chart*  However  , 
this  is  only  part  of  the  picture,  as  will  be 
discussed  later. 


Total  Cost  Considerations 

If  we  are  to  discharge  our  obligation  to 
supply  the  user  with  a truly  adequate  system  that 
he  can  fit  into  a truly  adequate  system  complex, 
we  must  consider  the  total  cost  picture.  In 
general,  this  leads  directly  to; 

1.  Use  only  component  parts  having  the 
lowest  failure  rate  now  available. 

2*  Design  the  system  to  make  full  use  of 
this  low  failure  rate. 

3*  Design  the  system  for  an  availability 
of  at  least  99$  • 

The  first  of  these  three  statements  has  been 
shown  in  the  first  paper  to  be  a necessity.  Parts 
that  are  too  good  and  too  costly  are  not  yet 
available.  The  second , however,  involves  some 
increase  in  design  and  development  cost  which  may 
be  substantial.  However,  if  the  total  number  of 
systems  required  is  large,  this  increase  becomes 
negligible  from  an  over “all  cost  standpoint.  Also, 
the  third  statement  involves  some  increase  in 
design  cost  in  addition  to  an  increase  in  the 
production  cost  of  the  system. 

We  would  like  to  be  in  a position  to  evaluate 
these  costs.  However,  we  have  not  yet  produced 
enough  systems  of  enough  different  types  to  enable 
us  to  estimate  the  increase  in  development  cost 
required  to  make  the  system  failure  rate  no  higher 
than  the  sum  of  the  inherent  failure  rates  of  its 
component  parts.  Also  we  have  not  fully  explored 
the  requirements  in  design  for  a 99$  availability. 
We  can,  however , make  estimates  of  the  maximum 
dollars  that  can  be  expended  for  these  pu rposes 
on  a relative  basis  and  still  break  even.  The 
number  of  dollars  available  is  large. 

Achieving  Inherent  Component  Failure  Rate 

Figure  2 shows  the  maximum  increase  in  de- 
sign cost  that  can  be  justified  in  order  to 
achieve  in  the  system  the  inherent  failure  rate 
of  component  parts.  Actually , in  order  to  get 
this  on  a relative  basis,  a multiplier  of  the 
production  cost  of  one  system  is  plotted  against 
a ratio,  the  effective  failure  rate  of  parts  as 
used  in  the  system  divided  by  the  inherent  part 
failure  rate.  The  curves  for  10,  100  and  1000 
systems  represent  upper  bounds  for  the  additional 
design  cost  that  can  be  justified  in  order  to 
realise  the  inherent  part  failure  rate  in  the 
system.  Any  cost  less  than  that  shown  on  the 
curves  represents  a net  gain  in  total  cost  to 
the  user.  Suppose  we  consider  a specific  value, 
a system  that  is  so  designed  that  the  effective 
component  part  failure  rate  is  10  times  the  in- 
herent failure  rate,  in  other  words,  10  times 
worse  than  it  need  be.  As  we  all  know,  there  are 
many  systems  in  use  that  are  not  even  this  good. 

If  the  total  requirements  are  for  10  systems, 
anything  less  than  80  times  the  first  cost  of 
the  system  can  be  spent  to  achieve  in  the  system 
the  full  component  capability.  For  a total 


This  points  out  the  futility  of  contracting 
for  the  design  and  construction  of  one  system 
without  full  knowledge  of  total  system  requirements. 
There  just  is  not  the  money  available  to  design 
an  adequate  system  on  the  basis  of  one.  All 
possible  corners  must  be  cut  and  compromises  made 
to  make  the  design  cost  compare  reasonably  well 
with  the  production  cost.  Reliability,  of  course, 
is  the  first  consideration  to  suffer  and  adequacy 
is  never  even  thought  of.  When  such  a design  is 
bought,  we  are  stuck  with  it  when  future  contracts 
are  let  to  produce  systems  to  fulfill  actual  re- 
quirements. 


It  is  not  only  necessary  to  buy  two  or  three 
times  as  many  systems  as  are  actually  needed  but 
each  has  roughly  10  times  the  maintenance  cost  of 
a truly  adequate  system. 

If  we  continue  this  example  of  a system  that 
started  with  10  times  the  failure  rate  of  the  sum 
of  its  parts  and  assume  that  it  had  an  initial 
availability  of  0.8,  just  decreasing  its  failure 
rate  Increased  its  availability  to  better  than 
O.95.  It  Is  only  a little  way  to  the  objective 
of  O.99.  It  seems  reasonable  to  assume  that  this 
would  not  increase  the  initial  cost  to  the  user 
by  more  than  10$.  Furthermore,  the  design  cost 
should  be  very  small,  perhaps  another  10$  of  the 
original  system  cost.  In  any  event  it  Is  evident 
that  there  is  a direct  Interaction  between  the 
effective  failure  rate  of  component  parts  as  used 
in  a system  and  the  availability  of  the  system  so 
It  Is  quite  impossible  to  separate  these  effects. 

Achieving  An  Adequate  System  Complex 

Figure  3 shows  the  maximum  number  of  dollars 
that  can  be  spent  to  design  a system  that  will 
make  full  use  of  component  parts  having  a failure 
rate  of  .001$  per  thousand  component  part  hours 
and  with  an  availability  of  99$*  This  value  is 
plotted  against  the  total  number  of  systems  re- 
quired In  a complex. 

Since  the  determination  of  actual  dollars 
available  involves  a comparison  between  what  is 
currently  being  done  and  what  conceivably  can  be 
done,  it  is  necessary  to  start  from  an  assumed 
base  which  is  as  follows: 

System  Design  1 

1.  Production  cost  of  one  system 

$100,000 

2.  Effective  failure  rate  of  parts 
In  system  .01$ 

3.  Availability  of  system  0.8 


357 


An  adequate  system  which  appears  possible 
within  the  current  state  of  the  art  would  have 
the  following  characteristics*  It  will  be  assumed 
that  system  design  1 can  be  converted  to  system 
design  2 with  no  significant  increase  in  the  pro- 
duction cost  of  one  system.  This  is  not  quite 
true,  but  it  greatly  simplifies  the  calculations 
without  materially  altering  the  conclusions. 

System  Design  2 

1*  Production  Cost  of  one  system 

$100,000 

2.  Effective  failure  rate  of  parts 
in  system  *001$ 

3*  Availability  of  system  0*99 

A system  complex  requiring,  for  example , 10 
systems  operating  essentially  continuously  would 
require  the  installation  and  maintenance  of  30 
systems  of  design  1 to  do  the  job.  However, 
for  design  2,  the  availability  is  99$  and  only 
10  systems  must  be  installed  and  maintained  to  do 
the  job  of  10.  So  far  this  cuts  the  total 
assumed  cost  to  one  third.  Design  2 also  drops 
the  system  failure  rate  to  one  tenth  of  the  rate 
for  design  1 and  this  cuts  the  annual  maintenance 
cost  to  one  tenth  for  each  system. 

The  over -all  result  seems  almost  fantastic. 

If  only  10  systems  are  required  in  a complex 
and  each  costs  $100,000,  we  can  afford  to  spend 
$28  million  on  the  design  to  obtain  an  avail- 
ability  of  99$  achieve  an  effective  failure 
rate  of  .001$  per  thousand  component  part  hours. 

If  the  number  in  the  complex  is  100,  we  can  spend 
$280  million  and  still  break  even.  I doubt  that 
anyone  will  contend  that  it  is  likely  to  cost 
more  than  a fraction  of  this  amount  to  design  a 
truly  adequate  system  and  anything  less  than  these 
huge  numbers  is  a measure  of  our  chances  of 
survival . 

Summary 


4.  Circuits,  plug  in  assemblies,  subsystems, 
etc*  should  not  be  borrowed  from  earlier 
systems,  with  or  without  performance  type 
modifications,  unless  it  can  be  demon- 
strated from  data  that  these  units  actually 
have  realized  the  inherent  failure  rates 
of  their  component  parts* 

5*  Explore  for  the  simplest  possible  solu- 
tion. Avoid  hanging  on  gadgets  to  make 
a marginal  design  squeak  through. 

Many  such  things  that  we  all  do  will  readily 
come  to  mind.  An  awareness  of  the  cost  problem 
and  its  vital  effect  on  survival  should  provide 
the  will  to  change  our  ways  and  really  design  and 
manufacture  adequate  systems. 


L.  N.  ST.  JAMES 


Money,  alone,  will  not  accomplish  the  job  and, 
at  the  moment,  no  cook  book  rules  have  been 
written . However,  certain  general  principles 
can  be  stated. 

1*  A truly  functional  definition  of  failure 
must  be  developed  for  a system. 

2.  Every  circuit  must  be  so  designed  that  it 
will  continue  to  operate  as  intended  un« 
til  at  least  one  component  part  in  it 
exceeds  Its  end  of  life  requirements. 

In  other  words,  circuits  must  be  designed 
in  terms  of  the  component  part  failure 
criterion  actually  used  in  evaluating 
component  parts. 

3«  It  Is  almost  essential  that  ground  based 
equipments  and  most  mobile  equipments  be 
supplied  with  a temperature  controlled 
environment  in  the  order  of  23 °C* 


358 


system  evolution 

reliabilityo  estimation  phase 


359 


INSTALLATION 


system 

realizing  inherent  failure  rate 


O 00 


W31SAS  3NO  ‘JLSOD  NOIlDnaOtId 
1SOD  N9IS3Q  WnWIXVW 


360 


EFFECTIVE  COMPONENT  FAILURE  RATE 
INHERENT  COMPONENT  FAILURE  RATE 


system  complex 

securing  adequate 
system  design 


($  JO  SNOI11IW)  319V1IVAV  lNflOWV  ‘XVW 


361 


10  100  1000 

NUMBER  OF  SYSTEMS 

(REQUIRED  CONTINUOUSLY  IN  COMPLEX) 


SYSTEM  RELIABILITY  EVALUATION  TESTING 


G.  A,  Schiehser 

Bell  Telephone  Laboratories,  Inc, 
Whippany,  N,  J. 


A major  purpose  of  system  reliability  testing 
is  to  provide  Information  of  value  to  the  responsi- 
ble organizations,  whether  they  be  administrators, 
designers,  manufacturers  or  users.  Any  test  or 
evaluation  procedure  which  does  not  incorporate 
the  necessary  devices  for  providing  the  required 
information  to  these  separate  organizations,  with 
widely  differing  interests  and  responsibilities, 
falls  short  of  its  primary  purpose. 

Referring  to  figure  1,  shoving  system  evolu- 
tion, two  principal  reliability  test  phases  have 
been  added  with  their  information  feed  back  paths. 
On  the  left,  the  Design  Verification  test  Is  shown 
with  information  deriving  from  the  model  program 
phase  feeding  back  into  the  product  design  phase. 
Ordinarily,  this  may  be  considered  as  the  primary 
channel  However,  all  too  frequently.  Product 
Design  (the  specifications,  drawings,  test 
requirements,  etc,)  fails  to  fully  reflect  design 
intent.  It  is  vital  that  the  Design  Verification 
Test  shows  up  this  failure  so  that  necessary 
changes  can  be  made  In  the  specifications  and 
requirements.  It  is  generally  agreed  that  this 
test  should  confirm  whether  or  not  the  system  con- 
forms to  the  specified  requirements,  including  the 
reliability  requirements,  and  few  will  deny  that 
the  potential  user  should  have  access  to  these 
data  if  he  so  desires.  The  point  that  we  are 
trying  to  make  is  that  the  information  derived 
from  this  test  must  be  much  more  than  an  estimate 
of  the  mean  time  between  failures  at  some  arbitrary 
confidence  level. 

Reflect  upon  the  operational  form  of  the 
definition  of  an  adequate  system  as  derived  in  the 
previous  paper. 

An  adequate  system  is  one  that  makes  use  of 
component  parts  having  the  lowest  possible  in- 
herent failure  rate,  is  so  designed  as  to  actually 
realize  this  failure  rate  In  normal  use  and  is 
designed  to  have  an  availability  of  at  least  99$- 

There  are  three  distinct  factors  involved  in 
this  concept  (1)  use  lowest  failure  rate  parts, 

(2)  design  to  make  full  use  of  this  lowest  in- 
herent failure  rate  and  (3)  design  for  an  availa- 
bility of  995L  Ail  three  are  basic  properties 
inherent  in  the  design,  but  the  first  need  not 
be  (and  in  many  conceivable  situations,  cannot  be) 
verified  or  demonstrated  by  a system  test.  The 
component  parts  used  are  specified  on  the  drawings 
and  It  Should  have  been  previously  ascertained 
that  they  have  the  lowest  attainable  failure  rate. 
The  system  failure  rate,  or  mean  time  between 
failure,  has  already  been  estimated  and  it  has 


been  confirmed  that  full  use  has  been  made  of  the 
inherent  part  failure  rate.  The  99$  availability 
requirement  can  be  expected  to  have  resulted  in  a 
design  with  large  plug  In  units  which,  when  in 
trouble,  are  identified  by  some  automatic  or  easily 
workable  process.  It  would  appear,  then,  that  all 
we  need  to  know  is  that  the  mean  time  between 
failures  is  at  least  as  long  as  the  estimated  time 
and  that  the  time  required  to  restore  normal  opera- 
tion is  not  more  than  one  one  hundredth  of  this. 
However,  if  we  look  at  the  total  problem  from  the 
standpoint  of  the  various  organizations  involved, 
we  are  again  confronted  with  the  situation  of 
having  done  what  is  necessary  but  not  necessarily 
sufficient.  Let  us  refer  back  to  the  basic  concept 
underlying  the  operational  definition  of  an  ade- 
quate system]  that  is,  an  adequate  system  is  the 
lowest  total  cost  system  that  will  do  what  the 
user  expects  It  to  do  whenever  called  upon. 

From  management 1 s point  of  view,  the  design 
should  be  evaluated  in  terms  of  its  intended 
Function.  Management  might  well  settle  for  evalu- 
ation In  terms  of  Design  Intent  if  it  can  be  shown 
(and  this  is  usually  possible),  that  Design  Intent 
fully  reflects  the  Intended  Function.  Furthermore, 
the  manager  is  not  interested  in  prolonged  and 
expensive  testing  of  many  systems  for  show  pur- 
poses, nor  is  he  interested  in  delaying  schedules 
and  shipment  dates  beyond  that  necessary  to  estab- 
lish one  thing:  Will  the  system  do  what  is 

expected  of  it  whenever  called  upon?  He  needs  to 
know  this  not  just  to  satisfy  his  contract  obliga- 
tions but,  more  importantly,  to  do  what  be  can  to 
insure  his  country's  survival  and  thereby  his 
company's  and  his  own  well  being.  Looking  at 
management's  basic  question  more  closely,  he  has 
confidence  in  his  designers  and  he  has  kept  abreast 
of  and  taken  an  active  part  in  the  derivation  of 
Design  Intent  and  its  expression  in  Product  Design. 
If  everything  has  operated  without  substantial 
error  throughout  this  elaborate  and  complex  process, 
an  adequate  system  will  and  usually  does  result. 

The  manager,  therefore,  is  looking  for  undetected 
error. 

Looked  at  from  the  system  designer's  view- 
point, he  has  done  everything  he  knows  how  to 
insure  that  his  creation  meets  the  criteria  for  an 
adequate  system*  He  has  accepted  the  guidance  of 
the  reliability  group  and  they  have  been  mostly 
right  in  the  past.  Summed  up,  he  feels  confident, 
entering  into  the  Design  Verification  test,  that 
his  design  will  do  what  is  expected  of  it  whenever 
called  upon*  However,  he  knows  that  engineers  are 
human  and  they  do  make  errors,  infrequently  perhaps, 


363 


“but  none  the  less  errors*  What  he  asks  of  the 
Design  Verification  test,  then,  is  a high  level  of 
assurance  that,  if  errors  have  been  made  which  will 
significantly  jeopardize  the  adequacy  of  the 
system,  such  errors  will  be  exposed  to  view  as 
rapidly  as  possible.  He  also  reiterates  manage- 
ment’s viewpoint  concerning  schedules,  not  because 
he  automatically  thinks  along  these  lines,  but 
because  his  survival  depends  upon  his  support  of 
management . 

Now  if  we  expand  this  thinking  to  cover  pro- 
duction control  tests  and  refer  again  to  figure  1, 
the  information  is  shown  to  derive  from  the  pro- 
duction phase  and  to  feed  back  into  production. 

It  also  feeds  into  the  two  higher  levels.  Product 
Design  and  Design  Intent. 

In  this  case  managements  questions  are  the 
same  except  now  they  are  asked  of  the  overall  pro- 
duction output.  Ihe  designer’s  questions  are  also 
directed  toward  the  total  output  of  production  but 
they  run  more  along  the  lines  of,  nHas  anything 
happened  in  production  to  deteriorate  significantly 
my  previously  established  design?"  Of  course,  his 
original  questions  are  still  asked  concerning 
errors,  since  there  is  always  a possibility  that 
design  errors  which  existed  originally  were  not 
detected  in  the  earlier  Design  Verification  test. 

Added  to  this  group  we  have  the  production 
engineer.  He  desires  assurance  from  production 
control  tests  that  he  will  know  promptly  if  his 
manufacturing,  inspection  and  test  processes  have 
permitted  product  to  deteriorate  significantly 
below  the  capability  inherent  in  the  design.  With 
assurance  that  this  has  not  occurred,  he  can  feel 
confident  that  his  product  will  do  what  is  expected 
of  it  whenever ’ called  upon. 

Reflecting  back  over  this  discussion,  all  the 
functionally  involved  groups  are  looking  for  the 
occasional  error.  If  none  has  been  made,  the 
Intended  Function  will  be  met  by  production  systems 
and  this  includes  the  mean  time  between  failures 
and  the  mean  time  to  restore  normal  operation. 
Reliability  testing  should  be  directed  toward  the 
much  broader  objective  of  answering  the  specific 
questions  of  the  functionally  involved  organiza- 
tions, which  reduce  essentially  to  error  detection 
rather  than  to  the  90$  confidence  demonstration  of 
mean  times  which  is  becoming  currently  popular. 

It  is  only  by  such  a complete  process,  as  is 
described  in  this  series  of  papers  confirmed  by  an 
error  detection  test,  that  the  user  can  secure 
assurance  of  adequate  systems. 

Unfortunately,  we  do  not  have  all  the  answers 
to  this  problem  of  error  detection.  fo  date,  we 
have  tried  several  procedures  which  have  been  more 
or  less  successful  but  none  have  proved  ideal. 

The  objective  should  be  to  devise  test  procedures 
that  will  yield  a high  level  of  assurance  of 
detecting  any  significant  errors  in  this  elaborate 
and  complex  process  which  we  have  labeled  System 
Evolution. 


system  evolution 

design-verification  and 
production-control  phase 


i 


365 


. 

•f 


CONFRONTING  THE  ENVIRONMENT 


T.  B.  Delchamps 

Bell  Telephone  Laboratories,  Inc. 
Whippany,  N.  J. 


1 7>T  * SUMMARY 

This  paper  highlights  two  areas  in  the 
environmental  field  requiring  a more  imaginative 
and  objective  meeting  of  design  and  reliability 
functions.  Thorough  and  timely  environmental 
definition,  as  an  essential  ingredient  of  success- 
ful system  design  and  meaningful  reliability  esti- 
mation, is  discussed.  Two  examples  of  current 
importance  in  the  areas  of  missile -vibration  and 
space -environment  simulation  are  briefly  reviewed. 

INTRODUCTION 

In  biology,  adaptation  is  defined  as  the 
"modification  of  an  animal  or  plant  (or  of  its 
parts  or  organs)  fitting  it  more  perfectly  for 
existence  under  the  conditions  of  its  environ- 
ment." Being  of  patient  disposition,  nature  waits 
for  trouble  to  appear,  and  casually  proceeds  to 
handle  It.  In  systems  development,  however,  we 
cannot  afford  the  leisurely  approach.  Here,  the 
degree  of  success  is  measured  by  our  ability  to 
i’ke  most  of  the  "modifications 11  during  initial 
design.  For  this,  we  must  have  a fairly  good 
idea  of  what  the  environment  will  be.  Further, 
what  we  don't  know  in  advance  about  the  environ- 
ment must  be  learned  at  the  earliest  possible 
moment.  One  suspects  that  nature  has  been  rather 
more  successful  in  coping  with  environment  a!  prob- 
lems than  her  human  offspring.  Clearly,  improve- 
ment in  this  situation  is  everybody Ts  problem. 

The  role  of  Environmental  Engineering  in  sys- 
tems evolution  is  shown  in  broad  outline  on 
Figure  1.  The  degree  to  which  the  Environmental 
Engineering  effort  influences  product  reliability 
depends  directly  upon  the  quality,  quantity  and 
timeliness  of  the  prediction,  definition  and  simu- 
lation functions  indicated.  This  theme  will  be 
further  developed  in  the  following. 

ANATOMY  OF  FAILURE 

In  the  early  stages  of  system  evolution,  It 
Is  expected  that  those  with  concept  responsibility 
will  remain  somewhat  aloof  from  physical  reality. 
Barring  measures  to  the  contrary,  however,  the 
initially- justified  oversight  is  repeated  and  com- 
pounded by  others  In  frenzied  passage  through 
various  stages  of  detail  design,  model  fabrication, 
and  laboratory  qualification,  culminating  in  grand 
climax  with  field  evaluation  tests.  Timing  con- 
siderations having  displaced  reason  and  judgment, 
the  system  quite  frequently  fails  on  schedule. 

What  follows  is  costly,  time-consuming  and  often 


involves  compromise  of  mission  performance.  As 
with  the  man  matching  pennies,  the  accrued  defi- 
cit is  virtually  beyond  recovery. 

This  Is  not  to  condemn  the  schedule  per  se, 
as  it  is  normally  an  effective  instrument  of 
orderly  progress;  nor  is  it  intended  to  lay  blame 
on  the  cone elver,  who  after  all  is  encouraged  to 
function  in  the  near  abstract.  Rather,  it  Is  to 
suggest  that  the  tyranny  of  time  frequently  de- 
grades quality  of  effort  by  stifling  the  exercise 
of  vision  and  review  as  vital  and  continuing 
forces  in  development.  Further,  we  sense  here  a 
basic  weakness  in  our  developmental  philosophy, 
which  permits  discrete  specialties  the  luxury  of 
mutual  indifference,  and  fails  in  maximum  utiliza- 
tion of  total  information  available  at  any  given 
moment . 

TOO  LITTLE,  TOO  LATE 

There  Is  perhaps  no  better  example  of  this 
organic  ailment  than  industry's  collective  failure 
to  deal  effectively  with  the  environment.  Here  is 
a formidable  adversary  demanding  early  recognition, 
definition  and  vigorous  sustained  action  in  defense 
of  program  goals.  Elaborate  facilities  and  myriad 
specifications  notwithstanding,  the  full  potential 
of  environmental  cognizance  is  simply  not  being 
realized.  Indeed,  design,  prediction  and  labora- 
tory evaluation  based  on  careless,  unsupported  and 
unconfirmed  assumption,  frequently  serve  to  degrade 
the  product  and  cloud  the  reliability  picture. 
Through  a combination  of  late  and  limited  attention 
to  environmental  definition,  and  inadequate  simu- 
lation techniques,  the  true  determination  of  prod- 
uct reliability  remains  in  default  until  the 
field -evaluation  phase,  when  the  opportunity  for 
corrective  action  has  all  but  vanished. 

Forces  resisting  Improvement  In  this  situa- 
tion Include  rigid  schedules,  budget  constraints, 
provincial  attitudes,  Indifference  and  even  antag- 
onism toward  any  departure  from  the  traditional 
terminal  evaluation.  There  is  no  pat  solution  to 
this  dilemma.  The  first  step  may  be  recognition 
of  the  problem  as  an  essentially  human  one,  with 
the  mere  physical  aspects  quite  susceptible  to 
imaginative  treatment . In  this  vein,  it  would 
seem  appropriate  to  focus  strong  attention  upon 
thorough  environmental  definition  as  a key  ingre- 
dient in  system  development,  demanding  careful 
estimates,  earliest  possible  confirmation  and  con- 
tinuing review  from  initial  concept  through  tac- 
tical capability  of  a given  system.  The  companion 


36? 


problem  of  rhow  best  to  simulate  environments  of 
importance , tends  toward  ready  solution  once  the 
essential  facts  are  known. 

THE  PRICE  OF  IGNORANCE 

Ascribing  broad  connotation  to  the  terms 
stress  and  strength,  we  can  apply  these  terms  in 
a general  way  to  any  physical  situation  we  wish. 
Specifically,  we  can  state  that  failure  occurs 
when  stress  exceeds  strength.  Postulating  a nor- 
mal density  function  for  stress  level,  and  assum- 
ing that  strength  is  also  normally  distributed 
(but  advancing  no  theories  in  either  regard),  we 
will  now  examine  the  probability  that  stress  ex- 
ceeds strength  under  various  combinations  of  mean 
and  variance  for  each  distribution.  The  severe 
penalty  associated  with  careless  assumption  of 
these  properties  for  design  purposes,  or  failure 
to  recognize  their  variability,  is  implicit  in 
this  discussion. 

^ Referring  to  Figure  2 , the  expected  penalty 
in  failure  frequency  imposed  by  high  variability 
and  low  mean  offset  in  stress  and  strength  proper- 
ties, is  quite  obvious.  Conversely,  the  benefits 
accruing  from  low  variability  and  high  mean  offset 
are  equally  apparent.  While  there  is  nothing  par- 
ticularly surprising  about  these  properties,  the 
relationships  presented  serve  to  emphasize  the 
vital  role  of  early  and  accurate  environmental 
definition  in  successful  system  development. 

Having  established  a general  viewpoint,  we 
will  now  examine  some  specific  effects  of  error 
in  assumed  environmental  stresses.  As  we  proceed, 
it  should  be  remembered  that  the  errors  in  ques- 
tion, though  like  in  effect,  may  arise  either 
through  justified  lack  of  prior  knowledge  of  the 
environment,  unjustified  failure  to  extract  such 
knowledge  from  early  experiments,  failure  to  allow 
for  variability  in  measured  stresses,  or  just  plain 
carelessness  in  measurement  or  assumption.  The 
first  error  mentioned  above  must  be  accepted  and 
allowed  for;  the  remaining  three  must  not  be 
tolerated . 

Referring  to  Figure  3j  we  observe  the  estab- 
lished failure  response  of  mica  capacitors  to  in- 
creased temperature.  Note  that  an  arbitrary  base 
level  of  30°C  has  been  assumed.  Apart  from  the 
familiar  acceleration  characteristic  shown,  and 
its  effect  on  replacement  requirements,  the  sig- 
nificant property  inviting  recognition  is  the 
increase  in  sensitivity  to  variation  at  higher 
temperatures.  For  example,  moving  from  50° C to 
60°C  along  the  acceleration  curve  nearly  doubles 
the  effect  of  a 10°C  variation  in  temperature 
about  the  levels  assumed.  This  is  the  kind  of 
physical  reality  so  often  ignored  in  the  casual 
selection  of  environments  for  reliability  estima- 
tion and  evaluation  purposes.  Under  these 
circumstances,  prediction  and  sample  parameters, 
upon  which  critical  program  decisions  frequently 
depend,  are  rendered  meaningless. 


Another  example  is  presented  on  Figure  k for 
germanium  semiconductors.  The  foregoing  comments 
apply  equally  well  in  this  case,  with  one  excep- 
tion. The  effects  in  question  become  less  pro- 
nounced as  dissipation  level  is  reduced. 

An  important  environmental  property  of 
Nickel -Cadmium  cells,  currently  popular  in  satel- 
lite applications,  is  presented  on  Figure  5»  This 
example  involves  the  simple  supply-and -demand 
relationship  of  a solar  power  plant.  When  con- 
verted solar  energy  exceeds  dissipation  within 
the  satellite  for  extended  periods,  an  overcharge 
condition  develops.  Tolerance  to  this  state  is 
essentially  a function  of  cell  temperature,  which 
determines  the  voltage  level  at  any  given  charge 
current.  Cell  voltages  above  about  1.5  reflect 
a fully -charged  negative  electrode,  and  signal 
the  evolution  of  hydrogen  at  a faster  rate  than 
it  can  recombine  at  either  electrode.  The  asso- 
ciated pressure  buildup  results  in  failure  of  the 
case . 

Clearly,  survival  of  these  cells  in  satellite 
applications  is  critically  dependent  upon  tempera- 
ture extremes  experienced  in  orbit.  While  thermal 
balance  calculations  permit  a reasonable  estimate 
of  anticipated  conditions  for  initial  design  pur- 
poses, complex  thermal  properties  of  satellite 
skin,  structure  and  active  elements  make  full- 
scale  prelaunch  space  simulation  mandatory.  Only 
in  this  manner  can  theoretical  results  be  con- 
firmed and  reasonable  assurance  of  reliability  in 
orbit  be  established.  A current  technique  for 
conducting  such  tests  will  be  briefly  covered 
later . 

A final  example  of  environmental  sensitivity 
is  presented  on  Figure  6.  Here  we  have  shown  the 
effect  of  broad -band  random  vibration  on  contact 
continuity  of  a relay,  assuming  a white  spectrum. 
G-levels  indicated  reflect  the  acceleration  at 
which  balance  of  colinear  restraining  and  inertia 
forces  is  achieved  for  a particular  relay.  The 
significant  attribute  of  these  data  lies  in  the 
steepening  gradient  in  sensitivity  to  the  white 
noise  environment,  with  increasing  degrees  of  en- 
vironmental mismatch.  Again,  the  necessity  for 
early  determination  and  application  of  environmen- 
tal knowledge  as  vital  adjuncts  to  product  design 
and  development,  is  clearly  implied. 

FORESIGHT  VERSUS  HINDSIGHT 

In  the  following,  we  will  touch  upon  two 
simulation  problems  of  current  importance,  and 
give  limited  detail  on  how  these  have  been  handled 
in  recent  programs.  It  is  well  to  point  out  that 
both  of  these  examples  involve  environments  for 
which  laboratory  simulation  offers  vital  informa- 
tion at  total  costs  at  least  an  order  of  magnitude 
less  than  a single  launch.  Further,  vital  infor- 
mation generated  in  flight  is  normally  inaccess- 
ible at  the  moment  of  generation,  and  is  frequently 
irretrievable  after  flight  termination. 


368 


A Technique  in  Space  Simulation 

Our  first  example  involves  space -environment 
simulation,  in  which  significant  strides  in  method 
have  teen  made  during  the  past  two  years.  It  is 
not  intended  to  review  this  history,  tut  rather  to 
describe  in  brief  a simple  and  relatively  inexpen- 
sive experimental  technique  for  thermal-vacuum 
testing,  which  is  being  applied  successfully  in 
the  lei star  Communications  Satellite  program.  The 
problem  iq  to  determine  thermal -balance  properties 
and  evaluate  operating  characteristics  of  the 
satellite  under  the  varying  conditions  of  illumin- 
ation and  internal  dissipation  which  will  be  ex- 
perienced in  orbit.  To  do*this,  we  need  an  energy 
source,  an  energy  sink  and  a non -convective  en- 
vironment . 

A cutaway  view  of  the  test  facility  being 
used  in  this  program  is  presented  on  Figure  7» 

The  workspace  is  a cylinder  4.5  feet  in  diameter 
and  8 feet  long,  bounded  by  a high-emissivity 
"stainless -steel  shroud,  which  is  cooled  to  approx- 
imately -300°F  by  liquid  nitrogen.  Simulated 
solar  illumination  from  three  carbon  arc  lamps, 
each  with  a 420-watt  condensible  beam  possessing 
desired  spectral  properties,  is  introduced  through 
pyrex  windows  in  the  rear  wall.  Pressures  in  the 

range  of  10“^  mm  Hg  are  maintained  by  a 16-inch 
diameter  oil-diffusion  pump.  Provisions  have  been 
made  for  supporting  and  slowly  rotating  the  satel- 
lite in  four  orientations,  with  instrumentation 
leads  feeding  through  vacuum-tight  terminals  in 
the  shaft  end -plate.  Slip  rings  have  been  avoided 
by  programming  rotation  in  two  directions,  with 
sufficient  slack  in  the  leads  to  accommodate  sev- 
eral turns  each  way.  Illumination  is  monitored  by 
an  array  of  three  1 x 2 cm  solar  cells  positioned 
about  6 inches  in  front  of  the  satellite. 

Ideally,  energy  density  and  spectral  distri- 
bution of  the  incident  beam  should  correspond  to 
the  sunrs.  rays  in  near-space.  Similarly,  absorp- 
tive properties  of  the  heat  sink  and  its  tempera- 
ture should  match  as  closely  as  possible,  the 
cold,  spectr ally-black  qualities  of  space.  Earth’s 
reflected  energy  (albedo)  and  infrared  radiation 
must  also  be  considered  as  energy  contributors, 
and  molecular  mean- free -path  in  the  test  area  must 
be  high  enough  to  permit  neglect  of  air -conductive 
and  convective  he at -transfer  modes. 

The  latter  requirement  is  satisfied  by  pres- 
sures in  the  range  of  10~5  to  10”^  mm  Hg,  readily 
obtainable  in  this  facility  using  conventional 
vacuum  techniques.  In  attempting  to  fulfill  the 
other  requirements,  however,  varying  degrees  of 
design  compromise  have  been  dictated  by  a combina- 
tion of  program  urgency  and  state-of-the-art  lim- 
itations. Fortunately,  the  required  compromises 
are  theoretically  and  experimentally  accountable 
or  can  be  shown  to  have  relatively  minor  effects 
on  thermal  test  results. 


The  main  problem  involves  energy  reaching  the 
satellite  from  secondary  sources.  If  the  internal 
shroud  surfaces  were  non -re fleeting  (absorptivity  = 
l)  and  at  a temperature  of  4°K  (interstellar 
space),  the  satellite  would  receive  only  direct 
radiation  from  the  arcs.  Since  these  conditions 
cannot  be  achieved,  secondary  energy  is  received 
by  the  satellite  from  arc -light  reflection,  in- 
frared reflection,  and  infrared  emission  from  all 
visible  surfaces.  To  account  for  energy  from 
these  secondary  sources,  a black  shell  of  the  same 
external  dimensions  as  the  satellite,  and  posses- 
sing predictable  thermal  properties  in  space,  has 
been  used  as  prime  reference  in  evaluating  and 
programming  arc -lamp  illumination.  Since  lamp 
operation  is  limited  to  a fairly  narrow  power 
range,  rate  of  energy  input  is  controlled  by  vary- 
ing the  number  of  lamps  in  service  at  any  given 
time.  This  can  he  done  without  degrading  the 
experiment,  since  thermal  time  constants  of  the 
satellite  are  sufficiently  long  to  filter  out  the 
effects  of  any  short  "term  variations  in  illumina- 
tion. 

Simulation  of  Missile  Flight -Vibration  Environment 

As  our  second  example,  we  will  consider  simu- 
lation of  the  missile  flight -vibration  environment. 
Since  the  primary  sources  of  vibration  in  a missile 
are  the  propulsion  system  and  aerodynamic  excita- 
tion, this  environment  can  in  most  cases  be  con- 
sidered random.  A Gaussian  model  with  mean  zero 
is  assumed  for  vibratory  accelerations,  and  the 
vibration  environment  at  a particular  station  is 
characterized  by  power  spectra. 

In  practice,  simulation  of  the  random-vibra- 
ti on  environment  is  normally  achieved  by  driving 
an  electrodyriamic  vibrator  with  the  amplified 
signal  from  a white -noise  generator,  band -limited, 
and  clipped  at  3 sigma.  An  array  of  variable -Q, 
variable-bandwidth  filters  is  used  to  shape  the 
driving  spectrum  to  achieve  flat  frequency  re- 
sponse of  the  highly-reactive  moving  element  with 
mounted  test  specimen,  a process  subsequently 
referred  to  as  equalization.  The  filters  may  also 
be  used  to  provide  varying  acceleration  density  in 
selected  bands  of  the  response  spectrum. 

Two  rather  serious  limitations  are  imposed 
by  using  a white -noise  generator  in  attempting  to 
simulate  the  flight  vibration  environment.  First, 
with  the  filters  mentioned  above,  it  is  extremely 
difficult  to  achieve  any  reasonable  correlation 
with  power  spectra  measured  in  flight.  Second, 
with  this  approach  there  is  no  way  of  handling 
variations  in  power  spectrum  with  time  of  flight. 

An  alternative  approach  is  to  drive  the  vi- 
bration exciter  with  data  signals  recorded  during 
actual  missile  flights.  The  value  of  such  a pro- 
cedure is,  of  course,  dependent  upon  the  quality 
of  the  data  recorded  in  flight,  and  upon  the 
selection  of  an  appropriate  fixture  for  mounting 


369 


the  test  specimen.  In  vib rat ion -data  acquis it ion , 
we  have  found  that  airborne  magnetic  recorders 
offer  important  advantages  over  telemetry  espec- 
ially in  the  areas  of  channel  aval lab Ility,  data 
frequency  capability,  dynamic  range  and  inter - 
channel  distortion.  Use  of  such  recorders  should 
be  considered  whenever  recovery  is  feasible. 

With  regard  to  fixturing,  it  has  been  recent 
practice  to  employ  a portion  of  the  actual  missile 
structure  in  laboratory  tests,  and  thereby  intro- 
duce mechanical -impedance  properties  of  the  flight 
vehicle  in  some  degree* 

To  evaluate  this  technique,  we  have  conducted 
such  tests  on  a missile  guidance  package,  using 
vibration  data  obtained  with  a recoverable  air- 
borne magnetic  recorder.  A missile  nose  section 
approximately  7 feet  long,  with  guidance  package 
installed,  was  mounted  in  the  thrust  direction 
on  a 15, 000 -pound -force  vibration  exciter 
(Figure  8).  Sensing  instrumentation,  consisting 
of  piezoelectric  accelerometers,  was  arranged  to 
correspond  with  the  flight  configuration*  The 
flight -vibration  signal  recorded  in  thrust  at  the 
missile  parting  flange  (mounting  plane  in  this 
experiment),  band-limited  to  2 kc,  was  used  to 
drive  the  exciter*  Vibration  response  was  re- 
corded in  both  the  driving  plane  and  the  guidance- 
mounting plane* 

Results  of  this  experiment  are  plotted  on 
Figure  9»  The  power  spectra  were  obtained  by 
digital  analysis  based  largely  upon  Reference  2. 
The  data  show  reasonable  agreement  between  labora- 
tory and  flight  spectra  at  the  missile  parting 
flange,  with  moderate  deviations  attributable  to 
equalization  tolerance  (±  3 db),  system  non- 
line araties,  and  vibration-amplifier  gain  setting. 
Flight  and  laboratory  spectra  at  the  guidance- 
mounting rib,  however,  appear  to  bear  little  rela- 
tion to  each  other.  Clearly,  differences  in  the 
character  of  excitation  sources  and  structural 
transmission  paths  are  responsible  for  this.  In 
particular,  absence  of  aerodynamic  forces  and 
associated  effects  on  structural  static  loads  and 
dynamic  response,  raise  serious  doubts  as  to  the 
merit  of  using  vehicle  structure  in  laboratory 
vibration  tests  on  missile-borne  equipment. 


course,  whether  the  Greek  Engineer  was  technically 
equipped  to  define  the  environments  of  interest, 
and  to  evolve  a suitable  experimental  plan  for 
the  occasion.  This  is  probably  academic,  however, 
since  he  was  in  too  big  a hurry  to  bother  with 
such  details  anyway-  But  must  it  always  be  so? 

We  think  not. 

Failure  is  sometimes  the  price  of  knowledge. 
More  often,  however,  the  price  is  paid  for  infor- 
mation already  available  or  at  least  accessible 
at  modest  cost.  Since  the  environment  must  ulti- 
mately be  reckoned  with,  then  its  definition  is 
a matter  of  utmost  urgency  in  any  development 
effort.  Continued  updating  and  application  of 
environmental  knowledge  in  design  and  evaluation 
are  essential  factors  in  minimizing  wasted  time 
and  effort,  two  priceless  commodities  in  today's 
market.  Is  this  not,  after  all,  a common  goal  of 
all  reliability  effort? 


REFERENCES 

Norman,  J,  E. , Estimating  Reliability  as  a 

Function  of  Stress/Strength  Data, 
ARGMA,  November  I96I. 

Blackman,  R.B.  and  Tukey,  J,  W. , The  Measurement 
of  Power  Spectra,  Dover,  1959 * 


These  results  strongly  suggest  that  a pre- 
ferred technique  would  employ  flight  data  recorded 
at  points  on  or  adjacent  to  mounting  lugs  for 
equipment  of  interest,  to  drive  such  equipment  in 
the  laboratory  through  rigid  fixtures.  It  is  of 
interest  to  note  that  we  have  applied  this  latter 
technique  in  recent  evaluations  of  gyro  performance 
in  the  flight  vibration  environment, 

CONCLUSION 


It  seems  likely  that  Daedalus  might  have  im- 
parted life-saving  wisdom  to  son  Icarus,  had  there 
been  a wind  tunnel  and  a sun  simulator  available 
for  pre -flight  demonstration.  One  wonders,  of 


370 


system  evolution 

environmental-engineering  phase 


i 


j 


371 


USE 


effect  of  mean  offset  and 
variability  on  failure  probabilit 


mean  strength  minus  mean  stress  ip. 2 


effect  of  temp,  on 
replacement  requii 

all  voltages  through  rated 


effect  of  temp,  on 
replacement  requirements 

at  various  percentages  of 
rated  dissipation 


1WI1  UNO  d3d 
SlN3W33Vld3d  Nl  3SV3UDNI 


lN3DM3d 


37^ 


TEMPERATURE  (°C) 


effect  of  temp,  on 
overcharge  tolerance 

typical  sealed  nickel-cadmium  cell 


375 


100  200  300  400 

CHARGE  CURRENT  (MILLIAMPERES) 


missile  flight - 
vibration  simulation 

laboratory  setup 


378 


missile  flight 
vibration  simulation 


379 


FREQUENCY  (KC) 


SYSTEM  RELIABILITY  EVALUATION  FROM  SUCCESS  AND  FAILURE  DATA 


R,  Hammell 

Bell  Telephone  Laboratories,  Incorporated 
Whippany,  Hew  Jersey 


It  has  been  estimated  that  man  may  have 
occupied  this  planet  for  two  billion  years.  Dur- 
ing all  but  a fraction  of  one  percent  of  this 
very  long  time,  his  upward  progress  has  been  slow, 
indeed*  Gradually,  man  learned  that  he  must  use 
the  ideas,  discoveries  and  experiences  of  others 
as  stepping  stones  toward  his  distant  goal.  When 
the  total  amount  of  recorded  knowledge  had  reached 
a necessary  level,  man's  rate  of  achievement  be- 
gan to  climb  in  exponential  fashion* 

Today,  we  are  recording  such  vast  amounts  of 
information  that  we  are  at  a loss  to  sift  the 
useful  from  the  useless.  And  the  problems  of  re- 
trieving  needed  material  are  often  so  great  that 
we  are  in  danger  of  either  having  to  rediscover 
or  to  do  without. 

In  the  reliability  field,  we  seem  to  have 
reached  the  point  where  each  practitioner  must 
make  a painful  compromise  between  trying  to  do 
his  job  and  spending  every  waking  moment  studying 
the  tidal  wave  of  material  crossing  his  desk.  If 
we  can  only  bear  it  for  Just  a little  longer,  I 
believe  that  there  is  much  promise  of  improve- 
ment* Before  any  complex  field  of  endeavor  can 
become  a "science,  it  must  first  be  an  "art". 

Our  dilemma  stems  from  the  fact  that  reliability 
is  in  transition  between  these  two  states. 

Earlier  this  year,  at  the  Reliability  and 
Quality  Control  Symposium  in  Washington,  and  at 
the  IRE  Convention  in  Hew  York,  we  were  impressed 
by  men  who  had  become  engineers  and  then  pursued 
the  study  of  medicine.  One  man  is  using  his 
medical  knowledge  in  space  engineering  research; 
another  is  using  his  engineering  to  solve  urgent 
data  recording  and  correlation  problems  in  the 
medical  world.  Both  men  should  open  some  very 
important  doors.  This  is  always  to  be  expected 
when  various  intellectual  disciplines  are 
deliberately  mixed. 

All  this  suggests  that  the  cooperation  be- 
tween systems  designers,  equipment  designers, 
component  designers,  human  factors  engineers  and 
reliability  engineers  should  be  tightened. 

There  follows  an  attempt  to  examine  some  of 
reliability's  developing  vocabulary,  to  identify 
the  kinds  of  information  we  must  collect  during  a 
system's  evolution,  and  what  we  must  do  with  it. 

A "balance  sheet”  will  be  presented,  to  show  what 
we  get  and  what  we  pay  for  correcting  troubles 
detected  in  each  successive  developmental  stage. 


First,  let  us  look  at  some  of  our  specialised 
language*  Let  us  examine  some  of  the  words  used 
in  this  series  of  papers,  to  see  which  ones  have 
specific  meanings  and  which  may  have  meanings 
that  depend  upon  one's  viewpoint. 

What  do  we  mean  by  the  words  "field"  and 
"user"?  Clearly,  this  depends  upon  where  we 
stand.  To  the  military  equipment  manufacturer, 
the  only  proper  concept  of  a product's  being 
"in  the  field”  should  be  that  the  product  has 
been  delivered  into  the  hands  of  the  ultimate 
user,  the  military  operator  working  under 
tactical  conditions*  Unfortunately,  there  are 
too  many  manufacturers  who  believe  that  their 
equipment  has  reached  this  stage  when  a proto- 
type has  passed  its  performance  tests  and  the 
customer  has  paid  the  bill.  As  we  hope  to 
demonstrate,  there  are  serious  dangers  in  the 
latter  attitude. 

The  component  manufacturer,  in  contrast 
with  the  equipment  manufacturer,  may  feel 
that  his  product  Is  "in  the  field"  as  soon 
as  he  has  shipped  it  to  the  equipment  manu- 
facturer. From  where  he  stands,  anyone  who 
handles  (or  mishandles)  his  product  is  a * 
user,  His  component  actually  may  be  exposed 
to  worse  conditions  during  equipment  develop- 
ment than  In  any  other  stage* 

How  about  the  word  "system"?  Very  few 
systems  consist  only  of  hardware;  most  systems 
use  men  as  essential  components  within  closed 
feedback  loops.  Ho  man -machine  system  can 
ever  perform  at  the  required  level  if  proper 
attention  has  not  been  paid  to  the  limitations, 
needs  and  capabilities  of  the  human  components . 

As  mission  times  become  very  short  and  as 
tactical  areas  expand,  weapons  systems  are  re- 
quired to  operate  ever  faster.  This  requires 
that  astronomical  amounts  of  data  be  collected, 
assessed  and  used  to  produce  exactly  right 
decisions  with  blinding  speed,  and  that  men  must 
be  eliminated  as  direct  functional  links* 

Eliminated  from  system  functions,  man 
continues  to  be  essential  for  monitoring 
troubles  and  for  employing  correct  and  rapid 
repair  procedures*  We  must  not  conclude  from 
this  that  human  factors  engineering  has  lost 
impox'tance;  to  the  contrary,  its  importance  has 
never  been  greater*  There  is  a severe  and  urgent 
burden  on  equipment  designers  to  provide  main- 
tenance men  with  the  utmost  in  trouble  detection 
and  correction  facilities,  and  to  arrange  their 


381 


designs  for  instant  and  economical  repair  by 
very  ordinary  kinds  of  men. 

The  importance  of  exploiting  failure  data  in 
any  system  evaluation  is  obvious;  less  obvious 
is  the  importance  and  utility  of  success  data. 

For  each  successful  launching  by  a missile 
system,  it  is  of  vital  importance  that  records 
be  kept  of  environmental  conditions,  ground 
equipment  performance,  telemetered  data  from 
missile,  and  tracking  data  if  we  are  to  assure 
the  success  of  future  launchings.  For  once  a 
high  degree  of  system  reliability  has  been 
achieved,  unremitting  efforts  are  required  to 
guard  against  deterioration. 

Data  from  firings  must  be  compared  with  data 
from  laboratory  testing,  to  be  sure  that  the 
’’margins"  assumed  in  the  laboratory  testing, 
compared  to  field  conditions,  are  really  there. 

This  careful  comparison  has  been  made  in  the 
use  of  the  Bell  Telephone  Laboratories*  Command 
Guidance  System,  designed  for  TITM  I*  This 
system  has  been  used  so  far  for  guidance  in  over 
&0  firings  of  I CBM*  s and  space  vehicles,  without 
a single  failure  of  the  ground  or  missile -borne 
equipment , 

Figure  1 shows  the  evolutionary  phases  of  a 
typical  system,  from  earliest  planning  to  final, 
tactical  use*  It  is  interesting  to  consider 
this  from  the  standpoint  of  failure  reporting  and 
analysis*  The  following  questions  come  to  mind* 
Which  blocks  send  information  to  the  failure 
analyst?  In  which  phases  can  failure  analysis 
pay  the  greatest  dividends?  What  do  the  feedback 
loops  look  like?  Is  there  any  stage  at  which 
failure  analysis  is  useless  to  the  project?  At 
what  point  should  we  stop  analysing  failures  from 
a system? 

Trouble  Data  From  Product  Design  Phase 

If  a failure  analysis  program  can  be  con- 
ducted during  the  product  design  phase,  with 
information  from  breadboard  experiments,  great 
benefits  can  be  realized*  There  are  the  maximum 
opportunities  to  change  to  better  components  and 
better  circuit  and  mechanical  design  practices. 
There  may  even  be  time  available  if  better  com- 
ponents must  be  developed*  And,  of  course,  changes 
are  Inexpensive  and  do  not  have  big  repercussions. 

Data  From  Model  Program 

It  Is  essential  that  when  an  equipment  is  In 
the  model  or  prototype  stage  every  trouble, 
however  small,  be  reported  to  the  reliability 
organization  and  that  It  receive  energetic 
treatment.  If  the  models  closely  represent  the 
final  design,  and  if  they  have  been  built 
according  to  the  company ’s  typical  fabrication 
processes,  most  of  the  troubles  should  resemble 
those  which  might  be  encountered  in  final 
equipment*  It  is  important  that  the  failure 


analysts  findings  be  given  quickly  to  responsi- 
ble project  personnel,  before  the  final  failure 
analysis  report  has  been  written,  printed  and 
distributed*  Any  effective  informal  means  should 
be  used*  The  analyst  often  receives  a reply  from 
the  project  people,  stating  what  they  have  done 
in  response  to  recommendations,  and  includes  this 
statement  in  his  final  published  report*  If  all 
parties  have  done  their  jobs  properly,  this 
trouble  should  not  recur.  In  a large  project,  It 
Is  normal  to  have  many  design  changes  resulting 
from  tests  of  model  or  phototype  equipment* 

Data  From  Production 

It  can  be  expected  that  the  production  phase 
will  yield  a whole  string  of  new  troubles,  many 
of  which  do  not  resemble  those  from  earlier 
phases.  Again,  It  Is  urgent  that  failure  analysis 
be  done  rapidly  and  that  the  preliminary  findings 
be  transmitted  Informally. 

Troubles  occurring  in  production  include 

(a)  defects  in  equipment  design, 

(b)  troubles  caused  by  lack  of  skill  In 
production.  These  will  not  result  in 
design  changes,  but  In  additional  worker 
training  and/or  modifications  In  process 
instructions , 

(c)  Those  resulting  from  changes  in  manu- 
facturing processes, 

(d)  latent  troubles  which  can  appear  only 
after  a quantity  of  units  has  been  built* 

(e)  the  need  to  select  components,  by  trail 
and  error  methods,  for  proper  circuit 
performance*  This  may  be  caused  by  Inno- 
cent-looking, but  Important  differences 
between  the  construction  of  models  and 
final  units  (e*g.  wiring  layout  and 
methods).  It  may  be  due  to  differences 
between  the  production  and  preproduction 
versions  of  certain  special  components. 

Or  It  may  indicate  that  proper  circuit 
operation  depends  upon  an  uncontrolled 

c oraponent  ch  ar  act  eristic. 

Data  from  Installation 

If  it  could  be  assumed  that  production  equip- 
ments are  Installed  in  exactly  the  same  way  as 
model  and  prototype  equipments,  using  the  same 
materials,  tools,  methods  and  kinds  of  men,  then 
most  installation  troubles  should  be  those  caused 
by  errors  or  abuse*  But  there  will  be  a need  for 
some  additional  design  changes*  The  need  for  some 
of  these  changes  may  be  apparent  only  after  pro- 
duction equipments  have  been  handled,  packed, 
transported  over  long  distances,  and  sometimes 
stored  In  a harmful  environment,  prior  to  instal- 
lation . 


382 


Data  From  Use 


If  a system  has  been  soundly  planned  and  well 
designed,  and  if  reliability  procedures  have  been 
exploited  to  the  fullest,  there  should  not  be  many 
big  troubles  in  use. 

Our  decisions  and  actions  at  this  stage  can 
have  a very  big  effect  (for  better  or  worse)  on 
future  systems.  Remembering  that  all  progress 
depends  upon  a study  of  past  experience,  we  must 
realize  that  a trouble -ridden  system  contains  an 
exceedingly  valuable  library  on  what  not  to  do. 

It  is  especially  important  that  all  in-use  troubles 
be  carefully  reported  and  analysed. 

Analysis  results  will,  in  many  cases,  affect 
future  choices  and/or  applications  of  certain  com- 
ponents and  materials,  system  and  equipment  design 
procedures,  manufacturing  processes  and  installa- 
tion methods. 

When  there  has  been  a lot  of  in-use  trouble, 
we*d  be  wise  to  take  a careful  and  skeptical  look 
at  the  reliability  procedures  that  we  used  in  the 
earlier  phases.  It  is  possible  that  we  will  find 
something  wrong  with  our  chosen  reliability  tools, 
or  with  the  way  we  used  them.  But  there  is  another 
possibility]  it  is  that  the  project  organization 
may  not  have  recognized  the  importance  of  our 
recommendations.  The  burden  is  on  the  reliability 
organization  to  arrange  feedback  or  check-up  rou- 
tines so  that  it  will  know  the  consequences  of  its 
recommendations , if  the  project  decides  that 
action  is  unwarranted,  the  reason  should  be  deter- 
mined and  recorded. 

Data  Collection 

We  have  talked  a lot  about  the  use  of  trouble 
data,  but  have  not  touched  on  the  problems  of 
collecting  it.  The  "success  data"  are  not  diffi- 
cult to  obtain;  this  is  because  of  their  nature 
and  because  they  are  recorded  under  the  control  of 
engineers  who  are  responsible  for  their  use.  The 
problem  Is  most  acute  in  the  case  of  trouble, 
failure,  replacement  and  readjustment  information. 
How  do  you  motivate  a maintenance  man  so  that  he 
will  want  to  give  you  a complete  story?  Sometimes 
we  have  difficulty  obtaining  any  story,  however 
inadequate , 

Much  of  our  most  valuable  data  come  from  "H&D 
Field  Sites"  where  the  environments  and  system  use 
conditions  might  be  called  quasi -tact leal.  Perhaps 
the  most  successful  method  we  have  used  for  obtain- 
ing data  is  to  have  an  experienced  man  assigned  to 
each  site,  with  the  primary  duty  Of  reporting  the 
full  story.  This  man  goes  to  the  place  on  the 
"reservation"  where  the  trouble  occurred,  inter- 
views the  people  who  coped  with  the  trouble,  looks 
at  their  logs  and  prepares  the  report.  In  addition 
to  all  the  obviously  needed  information,  it  is 
vital  that  he  be  specific  about 

(a)  circuit  positions  of  failed,  replaced  or 
re  ad  jus  ted  c omponent  s , 


(b)  whether  the  replacement  or  readjustment 
resulted  in  cure, 

(c)  the  number  of  operating  hours  accumulated 
on  each  replaced  component,  or  up  to  the 
time  when  an  adjustment  was  made, 

(d)  complete  statements  of  symptoms  and 
events  of  possible  significance. 

Many  failures  cannot  be  analyzed  at  all  unless 
the  amount  of  time  accumulated  on  a replaced  com- 
ponent is  given.  Of  course,  this  means  that  the 
reliability  organization  must  assure  itself  that 
the  system  designers  have  included  enough  running - 
time  meters,  and  that  they  have  been  installed  in 
the  right  places* 

On  the  IfXKE-£EUS  project,  we  had  been  receiv- 
ing many  failed  samples  of  a certain  relay.  The 
contacts  looked  as  though  they  had  been  abused 
electrically  but,  lacking  estimates  of  the  number 
of  times  these  relays  had  been  operated,  we  could 
not  make  a conclusive  analysis.  When,  one  day, 
one  of  these  relays  was  accompanied  by  a statement 
of  the  number  of  operations,  it  was  apparent  that 
it  had  passed  its  expected  life.  The  relay  was 
not  being  overloaded,  but  it  was  being  operated 
so  often  that  it  would  require  frequent  replace- 
ment. 

Whatever  system  is  adopted  for  obtaining  field 
failure  data,  it  is  invaluable  to  use  the  feedback 
principle  so  that  the  maintenance  man  knows  his 
report  did  not  fall  into  a bottomless  pit.  Send 
him  a copy  of  your  failure  analysis  report.  You 
then  have  a vehicle  for  words  of  praise  for  a job 
well  done;  and  you  have  the  opportunity  to  do  a 
little  complaining  if  he  has  let  you  down. 

Failure  Analysis 

We  have  heard  a great  deal  about  the  mechanics 
of  component  failure  analysis.  This  art  has  become 
well  understood  and  has  been  thoroughly  documented. 
The  important  thing  to  remember  is  that  our  study 
must  extend  far  beyond  the  failed  component  (which 
often  turns  out  to  be  perfectly  good);  it  is  only 
a part  of  the  story.  We  must  examine  where  and 
how  it  has  been  used  (or  abused),  how  it  was  housed, 
how  it  was  applied,  We  must  chart  and  study  the 
frequencies  of  troubles  according  to  their  posi- 
tions in  circuits.  And  we  must  pay  heed  to  those 
troubles  that  are  corrected  only  by  the  changing 
of  adjustments,  without  component  replacements. 

Of  special  interest  to  the  failure  analyst  is 
the  case  in  which  the  trouble  disappears  when  a 
component  is  replaced,  but  no  trouble  can  be  found 
with  the  removed  component.  This  raises  a number 
of  possibilities; 

(1)  External  connections  to  the  removed  com- 
ponent may  have  been  faulty, 

(2)  The  removed  component  may  contain  an 
intermittent  defect*  It  may  be  sensitive 


383 


to  some  quantity  such  as  temperature , 
moisture,  shock,  vibration,  voltage,  or 
a combination  of  them. 

(3)  The  circuit  design  may  be  marginal,  so 
that  it  will  not  work  when  a component 
characteristic  is  near  a limit. 

(4)  Proper  operation  of  the  circuit  may  de- 
pend  upon  some  "uncontrolled  character- 
istic’1 of  the  component.  This  is  not 
uncommon. 

(5)  When  no  other  explanation  can  be  found, 
it  is  possible  that  some  other  action 
actually  was  taken,  in  addition  to  re- 
placement of  the  component . The  person 
who  prepared  the  trouble  report  may  have 
been  unaware  of  this,  he  may  have  for- 
gotten it,  or  he  may  not  be  sufficiently 
objective  to  report  an  error  which  he 
may  have  made* 

Priorities 

On  the  Command  Guidance  System  project^ 
the  field  trouble  report  cards  have  a space  for 
indicating  whether  the  effect  of  a trouble  on  sys- 
tem functioning  was  ’’critical,  ” "major”  or  "minor. " 
The  terms  are  self-explanatory.  Special  efforts  are 
made  to  give  priority  attention  to  the  critical 
cases.  When  the  analysis  groups  are  overloaded, 
minor  items  are  deferred  until  the  work  load  drops*, 

On  other  projects,  degrees  of  severity  are  not 
usually  indicated.  All  cases  are  handled,  in  the 
order  of  arrival,  as  being  of  equal  importance. 
However,  our  Systems  Reliability  Department  keeps 
a box  score  on  each  type  of  trouble  and,  from  time 
to  time,  issues  requests  to  the  analysis  groups  to 
pay  special  attention  to  certain  cases,  or  to  stop 
analyzing  other  kinds  of  troubles  which  have  become 
well  known  and  are  receiving  corrective  action. 

Conclusions 

1.  Reliability  is  in  transition  between  art 
and  science.  Greater  efforts  are  needed 
to  mix  it  with  other  disciplines. 

2.  To  increase  understanding  by  project 
people,  let’s  not  be  reticent  about  our 
success . 

3.  We  must  give  balanced  attention  to  success 
and  failure  data  and  use  both  of  them  as 
tools. 

4.  Failure  analysis  pays  the  greatest  divi- 
dends when  done  in  the  earliest  equipment 
design  stage. 

5.  All  troubles  should  be  reported  from  all 
phases  of  a system !s  life,  including 
field  use. 


6.  Analysis  of  in-use  failures  is  vital  to 
the  greater  reliability  of  future  systems. 
If  we  do  not  do  this,  we  shall  never  stop 
committing  the  same  old  errors. 

7.  If  the  demonstrated  reliability  of  a sys- 
tem falls  far  short  of  predictions,  we 
must  look  carefully  at  the  tools  we  used, 
and  the  way  we  used  them. 

8.  Collection  of  trouble  data  is  not  easy. 

9.  Component  failure  analysis  must  go  far 
beyond  a mere  study  of  the  component. 

10.  Effort  expended  in  failure  analysis  should 
be  in  proportion  to  the  effect  of  the 
trouble  on  the  system’s  main  mission. 


384 


Balance  Sheet  on  Failure  Analyses  Performed  in 
Various  Phases  of  Project 


Savings 

Costs 

PRODUCT  DESIGN 

Model  changes. 
Opportunity  to  modify 
basic  design  approach, 
or  to  develop  better 
components. 

Failure  Analysis. 
Design  changes 
(relatively  slight 
cost) . 

MODEL 

Manufacturing  Changes 

Failure  Analysis. 
Design  changes 
(moderate  cost). 

PRODUCTION 

Field  changes 

Data  Collection. 
Failure  Analysis. 
Retraining. 
Design  changes 
(expensive). 
Process  changes. 

USE 

Improved  reliability 
of  future  systems. 

Data  Collection. 
Failure  Analysis. 
Field  changes 
(very  expensive). 
Design  & Production 
changes. 

Figure  2 


386 


A SURVEY  OF  TECHNIQUES  FOR  ANALYSIS  AND  PREDICTION  OF 
EQUIPMENT  RELIABILITY 

by 


Hi  Elmore  Blanton  Richard  M,  Jacobs 

Raytheon  Company  Sylvania  Electric  Products,  Inc. 

Lexington,  Mass*  Waltham,  Mass, 


This  paper  presents  a brief  synopsis  of 
representative  techniques  that  are  used  in  the 
analysis  and  prediction  of  equipment  reliability 
during  the  design  phase.  In  parti cular,  attention 
is  directed  to:  (1)  techniques  commonly 
employed  for  the  prediction  of  circuit  or  module 
reliability,  given  part  reliability,  circuit  con- 
figuration, and  environment;  (Z)  techniques 
commonly  employed  for  the  pr  ediction  of  equip- 
ment (or  systems)  reliability,  given  module 
reliability,  equipment  configuration,  and  opera- 
tional and  environmental  requirements;  and  (3} 
advanced  statistical  techniques  which  are  useful 
under  certain  conditions  to  supplement  those 
techniques  previously  mentioned. 

Introduction 

Techniques  useful  in  the  analysis  and 
prediction  of  equipment  reliability  have  developed 
rapidly  during  the  past  several  years , Con- 
currently with  this  development,  emphasis  has 
been  placed  on  the  accumulation  of  failure -rate 
data  on  parts  and  the  measurement  of  reliability 
of  existing  equipments  in  order  to  provide 
numerical  significance  to  the  various  mathemat- 
ical expressions  used  in  describing  reliability. 
These  efforts  have  been  accelerated  by  an 
increasing  recognition  of  the  value  of  applying  an 
analysis  and  prediction  technique  during  the 
design  phase.  Consequently,  reliability  engi- 
neers, and  others  in  related  activities!  have 
been  confronted  with  an  ever -increasing  number 
of  "best11  techniques  for  analyzing  and  predicting 
equipment  reliability* 

Under  these  circumstances,  it  became 
apparent  that  a survey  of  these  techniques  would 
prove  valuable  provided  the  survey  elaborated  on 
the  recommended  uses  of  a technique,  its 
distinguishing  features,  and  the  sources  of  data. 
This  paper  is  an  effort  to  present  such  a 
compendium  of  information.  No  attempt  has 
been  made  to  evaluate,  recommend,  or  criticize 
the  methods  or  techniques  either  by  the  sequence 
of  the  presentation  or  by  the  descriptive  details. 

Currently  available  techniques  are 
classified  in  this  paper  according  to  application: 

(a)  Prediction  of  circuit  or  module 
reliability  when  part  reliability,  circuit  con- 
figuration, and  internal  and  external  stresses 
are  given  (discussed  in  Section  2); 


(b)  Prediction  of  equipment  or  systems 
reliability  when  module  reliability,  equipment 
diagram,  and  operational  requirements  are 
available  (Section  3); 

(c)  Advanced  mathematical/statistical 
techniques  which  supplement  the  preceding 
methods  under  certain  prescribed  conditions 
(Section  4). 

A few  techniques  which  do  not  fall  into  these 
categories  but  which  may  prove  valuable  for 
specific  applications  are  noted  in  Section  5,  The 
ways  in  which  these  various  methods  may  be 
employed,  as  well  as  an  indication  of  their 
validity,  is  examined  in  Section  6. 

Reliability  prediction  as  considered  here 
includes  all  methods  used  in  obtaining  a 
numerical  indication  of  the  inherent  reliability 
of  the  device,  regardless  of  whether  that 
numerical  indication  is  intended  as  a measure 
of  conformance  to  specifications,  a means  for 
comparing  similar  devices,  or  for  other 
purposes.  The  terms  f1part,  “ '‘module",  and 
“equipment Tl  are  used  to  represent  the  basic 
elements  of  a device,  a collection  of  those 
elements  which  function  together  as  a unit,  and 
the  final  assemblage  of  those  elements  as 
required  to  accomplish  a specific  task, 
respectively. 

A literature  search  reveals  that  although 
a few  papers  on  reliability  prediction  appeared 
during  the  1940 fs,  the  bulk  of  the  material  was 
published  subsequent  to  that  time.  The  authors 
have  reviewed  personally  over  200  references. 
The  bibliography  at  the  end  of  this  paper  lists 
those  papers  which  have  been  cited  in  the  text 
as  well  as  others  which  may  be  of  general 
interest.  Also  included  are  references  to 
several  edited  bibliographies  which  may  be  con- 
sulted for  information  on  additional  papers, 
(References  1,  2,  3,  4,  5,  6) 

Prediction  of  Module  Reliability 

The  prediction  of  electronic  circuit  or 
module  reliability  has  been  the  subject  of  many 
papers;  however,  essentially  all  of  these  papers 
discuss  the  use  of  the  basic  technique  of  ob- 
taining the  module  reliability  from  the  summa- 
tion of  the  failure  rates  of  the  constituent  parts. 
Appropriate  formulas  may  be  applied  to  account 
for  the  series  or  parallel  configuration  of  the 
parts  which  compose  the  module.  The  points  of 


387 


disagreement  between  the  papers  are  what 
numerical  data  should  be  used  for  the  failure 
rates  and  the  degree  of  detail  that  should  be  con- 
sidered in  defining  the  failure  rates.  Several 
short  cuts  and  refinements  in  module  prediction 
techniques  have  been  discussed.  Most  of  the 
papers  relate  to  electronic  equipment  - the  ex- 
tension to  non- electronic  equipment  may  be 
reasonably  straightforward  if  the  appropriate 
numerical  data  are  available. 

Mathematical  Models  for  Module  Reliability 

One  of  the  earliest  attempts  to  predict 
reliability  for  electronic  equipment  was  made 
shortly  after  World  War  II.  Based  on  experience 
with  World  War  II  equipment  (C2,  Dl,  HI),  it 
was  determined  that  the  several  ways  in  which 
equipment  could  fail  are:  (1)  frequently  repeated 
failures  caused  by  parts  either  poor  in  quality 
or  overstressed,  (2)  randomly  occuring  failures, 
(3)  degradation  failures  of  various  parts.  It  was 
thought  that  frequently  repeated  failures  could 
be  rectified  by  retrofits,  and  the  degradation 
failures  could  be  prevented  by  appropriate 
maintenance  practices.  At  that  time,  however, 
methods  to  reduce  the  random  failures  were  not 
known.  The  data  gathered  indicated  a total 
failure  picture  which  could  be  approximated  by 
the  exponential  law  and  established  the  fact  that 
the  probabilities  of  survival  for  the  equipments 
were  influenced  by  the  complexities.  To  predict 
the  magnitude  of  failures  in  equipment,  typical 
failure  rates  for  various  part  types  were 
established.  These  failure  rates,  multiplied  by 
the  number  of  parts  in  the  equipment,  were 
shown  to  yield  an  estimate  of  equipment 
reliability.  This  basic  technique  en- 

compasses the  concepts  of  many  of  the  more 
elaborate  methods  in  use  today. 

As  an  extension  to  this  early  work,  the 
ematical  model  giving  the  failure  rate  of 

-module  as  the  summation  of  the  failure 

rates  of  the  constituent  parts  has  received  wide 
acceptance.  The  reliability  of  the  module,  in 
turn,  is  computed  from  R = e where  A.  is  the 
failure  rate  of  the  module. 

The  use  of  this  mathematical  model 
implies  the  acceptance  of  certain  basic 
assumptions; 

(a)  All  parts  are  considered  to  be 
functionally  independent,  that  is,  a failure  of 
any  one  part  will  not  affect  the  probability  of 
failure  of  any  other  part. 

(b)  The  successful  functioning  of  each 
and  every  part  is  required  for  the  successful 
functioning  of  the  module 

(c)  Failure-rate  data  for  the  various 
parts  are  available 

(d)  The  parts  experience  constant 
failure  rates  during  the  period  of  module 

388 


operation  and  hence  the  exponential  distribution 
is  applicable. 

The  validity  of  these  assumptions  with 
respect  to  the  module  being  studied  should  be 
considered  in  order  to  avoid  gross  errors. 
Recent  work  has  shown,  for  example,  that  the 
assumption  of  constant  failure  rates  and  the 
exponential  distribution  may  not  be  acceptable 
in  all  instances.  Work  is  underway  to  determine 
the  applicability  of  the  Weibull,  Gamma,  Log 
Normal,  Poisson,  Binomial  and  normal  dis- 
tributions to  various  elements  of  the  over -all 
problem.  As  additional  data  become  available, 
confirmation  of  the  validity  of  particular  dis- 
tributions in  describing  the  reliability  to 
specific  parts  and  modules  may  be  expected. 

Part  Failure -Rate  Data 

The  principal  distinction  between 
methods  reported  for  the  prediction  of  module 
reliability  is  the  part -out-failure -rate  data 
employed.  It  is  recognized  that  failure  rates 
vary  considerably  due  to  the  environment  of 
internal  and  external  stresses.  These  stresses 
are  derived  from  the  way  in  which  the  part  is 
used  in  the  module,  the  way  in  which  it  is 
mounted  or  packaged,  the  ultimate  use  of  the 
module,  and  operational  procedures  such  as  on- 
off  cycling.  In  addition,  failure  rates  vary  as 
resultsv  of  inherent  design  of  parts,  conditions 
of  manufacture  and  other  factors. 

In  using  published  failure -rate  data,  the 
source  of  the  data  must  be  carefully  considered. 
For  example,  if  it  is  obtained  from  field 
experience  with  shipboard  equipment,  it  may 
not  be  directly  applicable  to  airborne  equipment 
or  to  fixed  ground-based  equipment.  Further- 
more, in  certain  compilations  of  data,  failure 
rates  were  obtained  directly  as  a function  of  the 
total  field  removals  including  preventive  main- 
tenance actions;  whereas,  in  other  instances, 
data  supposedly  resulting  from  human  error, 
secondary  failures,  and/or  other  extraneous 
sources  of  malfunction  were  removed  before 
the  computation  of  failure  rates.  Failure -rate 
data  also  are  available  from  extensive  parts - 
testing  programs  conducted  either  by  parts 
manufacturers  or  parts  users;  but  insufficient 
time  has  elapsed  to  permit  high  confidence 
correlation  of  the  results  of  these  tests  with 
field  data  to  establish  the  validity  of  the- test 
programs.  Other  failure-rate  data  are  com- 
puted from  parts -test  data  combined  with 
controlled  or  uncontrolled  field  data. 

Under  these  circumstances,  each  user 
must  apply  caution  in  selecting  the  data  to  be 
employed  in  his  particular  prediction. 

Currently,  insufficient  information  is  available 
to  permit  the  selection  of  a HbestM  source  of 
data  - the  choice  must  be  made  in  view  of  the 
requirements  of  the  particular  prediction 
program. 


The  earliest  sources  of  failure-rate 
data,  of  course,  provided  indications  of  only 
nominal  failure  rates  for  broad  categories  of 
parts.  As  the  collection  of  failure  rates  has 
continued  through  the  years,  these  data  have 
been  refined;  and,  currently,  compilations 
provide  many  breakdowns  into  various  cate- 
gories of  parts  as  well  as  indications  of  the 
effects  of  various  stresses.  The  exact  manner 
in  which  reliability  is. related  to  stress  level 
varies  considerably. 

One  compilation  of  failure- rate  data, 
which  was  updated  recently,  was  drawn  from 
shipboard  applications  (S7,  VI,  V2).  This 
source  presents  single  failure-rate  numbers  for 
the  majority  of  part  categories.  In  the  case  of 
tubes,  transistors,  resistors,  capacitors,  and 
several  other  commonly  used  electronic  parts, 
graphic  data  are  provided  to  permit  a modifica- 
tion of  the  basic  failure  rate  in  terms  of  the 
severity  of  the  application,  measured  as  a 
function  of  the  principal  electrical  parameter 
affecting  reliability.  The  effects  of  other  en- 
vironmental factors  are  not  considered.  Data 
in  this  form  are  useful  in  obtaining  initial 
estimates  of  module  reliability,  before  infor- 
mation is  available  on  the  particular  environ- 
mental stresses  to  be  encountered. 

Perhaps  the  most  widely  used  source  of 
failure-rate  data  (R3,  R4,  R8,  Rll)  extends 
the  concept  of  application  severity  levels  to 
provide  charts  and  tables  where  failure  rate  is 
shown  as  a function  of  the  principal  electrical 
stress  on  the  part  and  the  principal  external 
stress,  usually  ambient  temperature.  Infor- 
mation presented  in  this  form  is  particularly 
valuable  as  the  design  progresses  and  becomes 
firm.  It  provides  the  designer  an  opportunity 
to  study  trade-offs  between  reliability  and 
ambient  temperature,  electrical  stresses  on 
the  parts  (which  when  interpreted  as  per  cent 
of  rated  stress  often  may  be  related  to  the  size 
of  the  part)  maintenance  factors,  cost  and  other 
related  considerations.  These  particular  data 
reportedly  are  derived  from  laboratory  and 
field  tests  of  fixed  station  ground-based  equip- 
ment together  with  theoretical  considerations. 

It  has  been  proposed  that  failure  rates  obtained 
from  this  source  be  modified  by  multiplying  by 
an  appropriate  factor  in  the  range  from  1 to  80 
to  account  for  the  severity  of  the  application 
environment  (i.  e.  , ground  based,  manned  air- 
craft, missile,  etc.  )(D4). 

The  use  of  adjustment  factors,  often 
called  "Kn  factors,  to  modify  basic  failure  rate 
data  also  is  recommended  in  several  publica- 
tions, In  one  of  these  (A3,  B20),  the  "K" 
factors  are  used  merely  to  modify  basic  failure 
rates  to  account  for  certain  circuit  stresses; 
for  example,  the  ratio  of  actual  to  rated 
voltage,  temperature  above  recommended 
ambient,  or  on-off  cycling.  In  another  (H10), 
the  nKn  factors  are  used  to  account  for  use 
environment  as  well  as  other  factors  which  are 


not  directly  reflected  in  the  tabulations  of  basic 
failure  rates. 


Another  tabulation  of  failure  data  (E2, 

E3,  E4)  provides  a table  of  nominal  or  generic 
failure  rates  and  application  factors  which  are 
functions  of  both  circuit  and  use  environment. 

In  the  tabulation  of  failure  rates,  both  the 
nominal  values  and  the  upper  and  lower  ex- 
tremes are  given  for  over  400  items,  including 
many  electronic  part  categories,  over  70  tubes 
and  semiconductors  by  part  number,  a variety 
of  electromechanical  parts,  and  some  frequently 
used  subassemblies.  Application  factors 
serve  as  multipliers  to  adapt  these  failure 
rates  to  account  for  actual  conditions  of 
ambient  temperature,  operating -to -rated 
wattage,  wire  size  in  potentiometers  and 
resistors,  and  other  measures  of  application 
severity.  The  product  of  the  nominal  failure 
rates  times  the  application  factors  are 
multiplied,  in  turn,  by  an  operational  factor 
K which  ranges  from  1.0  for  a laboratory 
computer  to  2,  000  for  a booster  engine  com- 
partment (in  flight),  to  adjust  the  failure  rates 
for  external  stresses  which  may  be  experienced 
during  actual  usage. 


Only  one  significant  source  of  data 
specifically  on  mechanical  and  electro- 
mechanical devices  has  been  noted  (K1S),  This 
reference  provides  not  only  basic  data  on  parts 
such  as  motors,  synchros,  and  resolvers, 
gear  boxes,  and  hydraulic  components  but  also 
an  indication  of  the  methods  of  estimating  the 
reliability  of  these  devices  during  actual 
operation.  Informal  communications  received 
by  the  authors  indicate  that  several  groups  have 
run  tests  which  tend  to  validate  the  material 
presented  in  this  report. 


One  author  (P4)  has  suggested  that  the 
problem  of  obtaining  specific  failure -rate 
information  for  the  various  parts  of  a module 
be  avoided  by  defining  for  each  part  a "reli- 
ability index"  which  is  the  ratio  of  the  failure 
rate  of  the  particular  part  to  the  failure  rate  of 
a "standard"  part  that  is  chosen  as  the  basis 
for  the  normalization.  This  author  reasons 
that  it  is  much  easier  to  obtain  an  accurate 
indication  of  the  relative  failure  rates  of  parts 
and  that  any  prediction  made  using  the  "reli- 
ability indexes"  can  easily  be  normalized  for  a 
particular  situation  through  the  choice  of  an 
appropriate  value  for  the  failure  rate  of  the 
"standard"  part 


Other  Prediction  Methods 


The  active  element  group  method  (B9, 
R13,  S7)  differs  from  the  basic  method  dis- 
cussed previously  in  that  the  parts  population 
of  the  module  is  defined  in  terms  of  the  number 
of  active  elements,  i.  e,  , tubes  and  semi- 
conductors. By  definition,  an  active  element 
group  (AEG)  consists  of  a tube  or  a transistor 
with  a proportionate  share  of  the  resistors, 


389 


capacitors,  coils,  transistors,  and  other  parts 
which  form  the  module.  The  failure  rates  for 
various  AEG's  may  be  obtained  from  published 
tables  (B9,  S7 ) or  may  be  computed  from  the 
nominal  failure  rates  of  the  constituent  parts. 

The  failure  rate  of  the  module  is  computed  as 
the  sum  of  the  products  of  the  number  of  AEG's 
times  the  appropriate  failure  rates.  This  method 
of  analysis  provides  an  easy  means  for  com- 
paring the  effects  of  complexity  on  reliability* 

For  example,  if  a designer  wishes  to  add  one 
stage  of  amplification  to  a three -stage  amplifier, 
he  can  readily  determine  the  loss  of  reliability 
versus  the  gain  in  system  performance.  Thus 
the  engineer  can  evaluate  easily  a number  of  the 
factors  which  he  must  consider  in  a trade-off 
determination. 

In  situations  where  the  reliability  of  a 
large  number  of  modules  must  be  predicted, 
sampling  procedures  may  be  used  to  advantage. 
The  use  of  such  procedures  does  not  affect  the 
basic  technique  used  in  prediction  but  rather  leads 
to  the  stipulation  that  a detailed  prediction  of 
reliability  will  be  made  for  only  the  selected 
sample  modules  whereas  merely  a quick  analysis, 
if  any  at  all,  of  the  estimated  reliability  will  be 
made  for  the  other  modules.  The  use  of  sampling 
procedures  introduces  risk  factors  for  both  the 
user  and  manufacturer  of  the  modules;  however, 
these  factors  may  not  be  significant  in  terms  of 
the  degree  of  error  that  is  expected  when  using 
usual  prediction  methods. 

Several  groups  are  currently  studying  the 
potential  value  of  predicting  reliability  of 
standard  or  preferred  circuits  packaged  in  pre- 
selected configurations  i.  e. , weldpack,  micro- 
miniaturized wafers,  microelectronic  wafers,  etc* 
Unfortunately,  the  results  of  these  studies  are 
not  available  at  this  time* 

Effects  of  Fart  Variability 

In  the  preceding  discussion,  it  has  been 
assumed  that  the  various  parts  in  a given  module 
can  be  assigned  specific  failure  rates  from 
appropriate  data  sources.  In  actuality,  of 
course,  even  if  the  assumption  of  a constant 
failure  rate  is  accepted,  it  is  recognized  that  the 
reliabilities  of  the  parts  employed  in  a group  of 
similar  modules  will  lie  within  some  specified  or 
assumed  range  about  the  nominal  values. 
Furthermore,  in  establishing  a true  measure  of 
the  inherent  reliability  of  a module,  attention 
must  be  given  not  only  to  the  effects  of  cata- 
strophic failure  but  also  to  the  effects  of  degra- 
dation resulting  from  changes  and  variations  in 
the  characteristics  of  the  parts* 

Several  authors  have  considered  various 
techniques  which  may  be  employed  in  obtaining  a 
realistic  picture  of  the  variations  in  reliability 
which  may  be  expected  from  variations  in  parts. 
The  methods  considered  include  the  use  of 
analysis  of  variance  to  obtain  the  expressions  for 
the  module  reliability  in  terms  of  random 
variables  representing  the  part  characteristics  ■ 


(Bb,  MIC)  and  the  derivation  of  expressions 
relating  output  tolerance  to  part  tolerances  (D7, 
D8,  Ml  6)  as  well  as  the  application  of  other 
statistical  techniques  (M7).  An  analysis  of  the 
effects  of  part  variations  can  lead  to  the 
recognition  of  areas  where  improvement  is 
desirable  or  where  changes  can  be  made  that  will 
aid  in  optimizing  the  reliability  of  the  design* 

Prediction  of  Equipment  Reliability 

A survey  of  the  current  literature  reveals 
a variety  of  approaches  to  the  prediction  of 
equipment  and  systems  reliability.  An  analysis 
of  these  approaches  discloses  many  points  in 
common  and  also  shows  that  in  some  instances 
several  of  these  approaches  must  be  combined  to 
obtain  a valid  prediction  for  a complex  equip- 
ment* To  achieve  greatest  effectiveness  in  the 
use  of  these  techniques,  one  must  define  care- 
fully the  type  of  prediction  desired  and  then 
select  the  one  or  more  approaches  necessary- 
The  ways  in  which  the  use  of  prediction  tech- 
niques may  aid  in  improvement  of  equipment,  as 
well  as  the  results  of  having  employed  pre- 
diction in  the  development  of  certain  equipments 
are  discussed  in  Section  6. 

Selection  of  Prediction  Technique 


The  selection  of  the  preferred  technique 
for  a particular  reliability  analysis  maybe 
resolved  on  the  basis  of  the  following  consider- 
ations : 

(a)  Project  Requirements  - Does  the 
project  require  that  a specified  technique  be 
employed  ? 

(b)  Purpose  of  Prediction  - Reliability 
predictions  may  be  used  to  establish  adequacy 
of  proposed  designs  at  time  of  bidding,  to 
measure  compliance  with  reliability  specifica- 
tions, and  to  analyze  design  improvements. 

The  first  two  uses  require  an  absolute  estimate 
of  the  inherent  reliability,  which  is  the  most 
difficult  type  to  make  with  high  accuracy*  When 
the  purpose  of  the  analysis  is  to  obtain  a rela- 
tive evaluation  of  alternative  designs  or  to 
locate  major  weak  links,  simplifying  assump- 
tions often  maybe  made* 

(c)  Type  of  Equipment  or  System  - 
Several  classes  of  techniques,  each  relating  to 
particular  types  of  equipment,  are  available. 
Some  of  these  techniques  are  especially  useful 
where  a switching -circuit  analogy  is  applicable* 
Other  techniques  apply  to  situations  where 
degradation-type  failures  must  be  considered 
or  where  the  consequence  of  failure  of  a part 
differ  according  to  its  mode  of  failure. 

(d)  Phase  of  Design  - The  phase  of  the 
design  process  determines  the  amount  of  detail 
information  available  about  the  equipment  and 
thus  which  technique  may  be  appropriate. 


390 


(e)  Reliability  versus  Other  Parameters 
- In  many  complex  equipments  and  systems  such 
as  those  which  include  alternate  modes  of  oper- 
ations, the  more  advanced  concept  of  system 
effectiveness  or  system  worth  (which  includes 
consideration  of  reliability,  maintainability, 
and  related  factors)  must  be  employed  in  ob- 
taining a measure  of  probability  of  successful 
performance 

(£)  Degree  of  Accuracy  Desired  - The 
refinement  of  a prediction  to  include  consider- 
ations, such  as,  confidence  limits  associated 
with  estimates  and  variations  in  operational 
requirements  for  success  during  a given 
mission,  naturally  leads  to  the  use  of  more 
advanced  prediction  techniques. 

Elementary  Prediction  Techniques 

The  oldest  technique  for  the  numerical 
prediction  of  equipment  reliability  is  based  on 
the  application  of  the  product  rule  and  simple 
redundancy  considerations.  This  technique  is 
valid  and  extremely  useful  where  the  modules 
composing  an  equipment  operate  in  a simple 
series  and/or  redundant  configuration  with 
respect  to  reliability,  One  of  the  more  mathe- 
matical treatments  of  reliability  analysis  tech- 
niques (A 6)  discusses  the  product  rule  and  shows 
that  actually  it  can  be  applied  with  reasonable 
validity  to  a variety  of  situations.  A recent 
publication  (C4)  provides  an  excellent  descrip- 
tion of  this  technique. 

Another  approach  is  the  prediction  by 
equipment  function.  One  handbook  (S7)  pre- 
scribes the  use  of  this  technique  as  the  first 
step  in  a reliability  analysis.  In  this  technique, 
the  reliability  of  a new  equipment  or  system  is 
developed  by  comparing  the  function  of  the  new 
device,  or  portions  thereof,  with  that  of  existing 
devices  of  similar  function  and  complexity  and 
known  reliability.  Other  activities  have  recog- 
nized the  value  of  this  approach  and  a research 
study  directed  at  extending  the  applicability  of 
the  technique  and  provision  of  backup  data  is 
currently  contemplated  (R12), 

A technique  useful  in  the  early  stages  of 
the  design  of  electronic  equipment  is  based  on 
the  active-element-group  (AEG)  concept  which  is 
described  in  Section  2,3.  If  simple  redundancies 
are  evident  in  the  equipment,  the  AEG  prediction, 
of  course,  should  be  made  on  a module  basis  and 
the  module  reliabilities  combined  using  the  tech- 
nique considered  above, 

A fourth  technique  (B14),  sometimes 
termed  11  Cause  and  Effect  Analysis11,  is  more 
qualitative  than  quantitative.  However,  when  it 
is  applied  systematically,  it  can  lead  to  realis- 
tic appraisal  of  possible  sources  of  unreliability 
and  of  the  merits  of  alternative  approaches  to 
correct  such  unreliability.  The  application  of 
this  technique  results  in  a detailed,  systematic 
analysis  of  the  relationship  of  various  parts  to 
the  whole;  identification  of  modes  of  failure  and 


the  effects  of  such  failures;  analysis  of  means  of 
eliminating  failures;  and  a summarization  of 
necessary  design  improvements  and  expected 
success  of  the  device  in  the  intended  application. 

Use  of  Switching-Circuit  Analogy 

A number  of  the  earliest  papers  on  the 
subject  of  reliability  prediction  relate  to  the 
reliability  of  switching  circuits  (B21,  F7,  Gl), 
Since  the  switch  is  a two- state  device  - either 
open  or  closed  - it  was  soon  evident  that  a 
switching  circuit  could  be  considered  an  ana- 
logue of  any  group  of  interconnected  elements 
where  the  operation  of  each  element  could  be 
described  as  either  a success  or  a failure. 

Thus,  the  analogy  is  particularly  applicable  to 
equipment  such  as  a missile  where  the  success 
of  the  flight  depends  on  the  success  or  failure  of 
the  constituent  components  during  the  flight 
interval. 

Three  steps  are  essential  in  the  appli- 
cation of  the  switching- circuit  analogy  to  the 
prediction  of  reliability: 

(a)  Preparation  of  a circuit  diagram 
where  each  component  is  represented  by  a 
switch,  the  open  position  being  analogous  to 
failure  and  closed  position  analogous  to  success. 

(b)  Derivation  of  a formula  (transfer 
function)  for  transmission  through  the  circuit 
showing  all  combinations  of  switch  closures 
which  can  lead  to  success, 

(c)  Interpretation  of  the  formula  for 
successful  transmission  in  terms  of  probability 
of  success  by  substituting  for  symbols  denoting 
switch  closure,  the  probability  of  such  closure; 
and  for  symbols  denoting  open  switches,  the 
probability  of  failure. 

In  this  procedure,  the  principal  effort 
centers  around  step  (b),  the  derivation  of  the 
formula.  Early  papers  suggest  the  development 
of  complete  tables  of  all  of  the  independent  ways 
in  which  success  could  be  obtained  and  the  sum- 
mation of  these  terms  to  achieve  the  desired 
formula.  Eater,  symbolic  logic  (K7,  S3)  and 
Boolean  algebra  were  recognized  (F7,  Gl)  as 
valuable  aids  in  the  derivation  of  the  required 
formula , 

Extensions  of  this  technique  to  switches 
or  components  which  exhibit  three  distinct  states 
(F7)  and  to  complex  milti -element,  series - 
parallel  networks'  (L3)  have  been  described,  A 
more  recent  paper  treats  the  application  to  sys- 
tems which  include  requirements  for  sequential 
operation  of  its  components  (K15). 

Use  of  Reliability  Block  Diagrams 

An  examination  of  the  usual  engineering 
block  diagram  for  an  equipment  reveals  that  the 
diagram  generally  depicts  the  interrelationship 
between  modules  or  other  subportions  of  the 


equipment  which  must  perform  successfully  if 
the  equipment  is  to  operate  successfully.  Based 
on  this  observation,  the  idea  of  preparing  a 
" reliability  block  diagram"  which  would  show 
clearly  the  reliability  interrelations,  was  devel- 
oped (B 12,  F9,  H13,  K10) . The  principal  dis- 
tinction between  a reliability  block  diagram  and 
the  conventional  engineering  block  diagram  is 
that  the  reliability  diagram  must  include  blocks 
representing  power  supplies  and  similar  auxil- 
iary devices,  the  functioning  of  which  contributes 
directly  to  the  success  of  the  equipment,  as  well 
as  blocks  for  those  portions  of  the  equipment  that 
perform  a primary  service  in  fulfilling  the  in- 
tended function. 

The  reliatiliby  block  diagram  often  may  be 
developed  directly  from  the  engineering  block 
diagram  through  the  addition  of  blocks  to  repre- 
sent power  supplies  and  similar  units  (B12). 
Another  approach  (H13)  consists  of  starting  with 
a block  labeled  "This  equipment  will  perform 
successfully  if"  and  connecting  to  that  block  by 
appropriate  series  or  series-parallel  arrange- 
ments blocks  describing  operations  which  must 
be  successful  if  the  equipment  is  to  operate 
successfully.  Series  blocks  are  connected  with 
lines  bearing  the  words  "and  if"  and  parallel 
blocks  are  connected  with  lines  bearing  the  word 
"or.  11  Thus  it  becomes  possible  to  start  at  the 
first  block  and  read,  "This  equipment  will  per- 
form successfully  if.  . . and  if.  . . and  if.  . . or.  . . 
etc.  , 11  where  the  resulting  sentence  provides  a 
complete  description  of  modes  of  successful 
operation.  The  purpose  of  either  of  these 
approaches  is  to  establish  a clear  means  of 
communicating  engineering  knowledge  concerning 
the  equipment  to  the  mathematician  who  is  to 
derive  the  reliability  formula.  The  reliability 
block  diagram  often  should  be  accompanied  by 
either  a definition  of  the  requirements  for 
equipment  success  or  a tabulation  of  those 
minimum  combinations  of  portions  of  the 
equipment  that  will  lead  to  successful  equipment 
operation  if  they  are  simultaneously  successful. 

The  next  step  after  obtaining  the  reliability 
diagram  is  to  derive  the  reliability  formula  de- 
scribing the  probability  of  successful  operation. 
For  equipments  where  the  diagram  indicates 
that  the  elements  are  in  a simple  series -parallel 
arrangement,  the  procedures  described  in  Section 
3.  2 may  be  employed  for  the  more  complex 
equipments,  several  procedures  based  on  easy  to 
follow  rules  that  lead  to  the  derivation  of  valid 
formulas  have  been  proposed  (B 12,  F9,  K10). 
Boolean  algebra  may  prove  useful  in  this  regard, 
but  it  is  not  clear  from  the  literature  if  this 
algebra  is  sufficiently  powerful  to  lead  to  the 
derivation  of  the  desired  formula  without  the  use 
of  several  supplementary  rules  (B 12,  H13,  K10, 
R2). 

Refinement  of  Prediction 

The  techniques  discussed  so  far  in  this 
section  have  related  to  the  problem  of  deriving  a 
formula,  or  mathematical  model,  for  the  reli- 


ability of  an  equipment  under  the  conditions 
where  a single  reliability  block  diagram  or 
switching-circuit  analogue  is  applicable  to  the 
entire  period  of  operation,  and  the  reliability  of 
each  portion  of  the  equipment  is  a constant  for 
that  period  of  operation.  Many  authors  have 
recognized  that  such  conditions  often  do  not 
exist;  thus,  extensions  or  refinements  in  the 
prediction  techniques  are  desirable  in  order  to 
obtain  greater  accuracy  in  the  results. 

Several  papers  have  discussed  the- matter 
of  obtaining  an  estimate  of  possible  variations 
in  equipment  reliability  due  to  variations  in  the 
reliability  of  the  constituent  parts  (B6,  K10, 
M10);  however,  the  need  for  further  work  is 
acknowledged  (A 6).  Useful  indications  of 
possible  variations  in  equipment  reliability  may 
be  obtained  by  making  three  computations  where, 
respectively,  optimistic,  expected,  and  pessi- 
mistic values  of  reliability  are  assumed  for  the 
various  parts  of  the  equipment  (T5).  Another 
approach  is  to  analyze  the  variations  in  equip- 
ment reliability  with  respect  to  the  variations  in 
reliability  of  the  constituent  parts  through  the 
use  of  partial  derivatives  of  the  reliability  for- 
mula (B13).  Several  more  advanced  techniques 
are  discussed  in  Section  4. 

As  the  prediction  techniques  were  ex- 
tended to  more  complex  equipment  and  systems, 
it  became  apparent  that  some  measure  of  good- 
ness which  is  more  comprehensive  than  the  con- 
cept of  reliability,  as  usually  employed,  would 
be  desirable.  One  concept  (F9,  H14,  J3)  - often 
called  system  effectiveness  - makes  provisions 
for  incorporating  considerations  such  as  the 
relative  significance  of  alternate  modes  of  oper- 
ation and  the  effects  of  maintenance  (R12).  A 
recently  proposed  system-value  concept  would 
include  not  only  system  effectiveness  but  also 
such  basic  factors  as  production  time,  support 
requirements,  and  an  evaluation  of  the  effective- 
ness of  the  equipment  in  accomplishing  the  de- 
sired function  so  as  to  provide  an  accurate 
numerical  means  of  choosing  between  alternative 
equipments  for  the  same  task  (K13).  The  tech- 
niques of  reliability  prediction,  perhaps  with 
slight  alterations,  are  basic  to  both  system- 
effectiveness  and  system-value  calculations. 
Other  techniques  necessary  in  these  calculations 
are  beyond  the  scope  of  this  paper. 

Another  problem  concerns  the  prediction 
of  reliability  for  an  equipment  which  during  a 
given  period  of  use  may  pass  through  successive 
intervals  where  requirements  for  successful 
performance  vary  significantly.  In  some  in- 
stances, the  desired  over -all  reliability  figure 
may  be  obtained  from  a combination  of  the 
reliabilities  for  the  separate  niter vals  (P2)  and 
in  others,  the  need  for  techniques  of  higher 
mathematics  (K16)  become  apparent. 

An  excellent  means  of  refining  any  reli- 
ability prediction  is  to  make  use  of  such  limited 
test  data  as  may  come  available  early  in  the 
development  of  the  equipment.  A recently 


392 


reported  non-linear  estimation  technique  for 
obtaining  an  approximation  of  the  expected  value 
of  the  constant  failure  rate  of  an  item  of  equip- 
ment from  data  obtained  during  the  ,tdebugging,! 
period  (R17)  is  typical  of  the  current  effort  in 
this  regard. 

Advanced  Mathematical/Statistical  Techniques 

Besides  the  techniques  described  in  the 
preceding  sections,  many  new  ones,  are  being 
developed  in  an  effort  to  obtain  means  for 
achieving  valid  predictions  of  reliability,  par- 
ticularly in  complex  situations.  These  new 
techniques  often  are  derived  from  the  application 
of  advanced  mathematical  and  statistical  proce- 
dures based  on  information  theory,  Monte  Carlo 
methods,  linear  programing,  queuing  theory, 
Boolean  algebra,  Baye’s  theorem,  and  various 
distribution  theories  such  as  exponential, 

Weibull,  gamma,  normal,  log-normal,  chi- 
square,  Poisson,  and  binomial.  In  order  to 
apply  each  of  these  theories  or  distributions, 
appropriate  raw  failure,  usage,  replacement, 
and  maintenance-time  data,  as  well  as  an  under- 
standing of  the  inferences  that  can  be  drawn  from 
the  ensuing  analysis,  must  be  available. 

A problem  often  encountered  in  reliability 
studies  is  that  of  predicting  the  probability  dis- 
tribution of  some  performance  parameter.  In 
most  cases,  an  exact  analytical  solution  is  not 
feasible  because  of  the  difficulty  in  the  required 
integration.  The  distribution  of  the  performance 
parameter  can  be  obtained,  however,  by  mathe- 
matical simulation  based  on  the  Monte  Carlo 
method  (B16,  DIO,  F 2,  F4,  Ul).  This  method 
constitutes  a "cut  and  try11  approach  where  the 
working  mechanisms  of  the  equipment  are  sim- 
ulated based  on  the  general  mathematical  model 
of  that  equipment. 

As  an  example  of  this  method,  consider 
a simple  series  circuit  configuration  expressed 
by  the  equation 

ed  = LS  + Ri+c+e 

where  e^  is  the  voltage  drop  across  the  BCR 
circuit  as  a function  of  t.  It  is  recognized  that 
the  response  e for  a succession  of  identical 
pulses  of  i willnot  always  be  the  same  but  rather 
will  have  some  probability  distribution  with 
respect  to  time.  Monte  Carlo  simulation  is  one 
means  of  defining  the  distribution  of  e^  so  that 
realistic  safety  margins  can  be  established 
without  actual  test  of  the  circuit.  Appropriate 
random  numbers  are  used  to  simulate  the  dis- 
tribution of  each  circuit  characteristic,  R,  L, 
and  C,  with  respect  to  time.  A cumulative 
probability  distribution  then  is  computed  for  e^ 
to  obtain  the  probabilities  of  exceeding  certain 
limits  or  safety  margins. 

Thus,  through  the  use  of  random  numbers 
and  circuit  equations,  distributions  of  output 


performance  parameters  can  be  established. 

Safety  margins  may  be  apportioned  to  the  various 
stages  of  a design  if  not  to  the  parts  themselves. 
Since  these  analyses  are  only  as  accurate  as  the 
mathematical  model  used  in  the  simulation,  con- 
sideration must  be  given  to  the  possible  effect  of 
nonlinearities  and  interactions  that  are  not  in- 
cluded. 

In  employing  Monte  Carlo  or  other  sim- 
ulation techniques,  the  appropriate  distributions 
for  describing  the  performance  parameters  must 
be  selected  and  random  numbers  with  the  same 
underlying  distributions  generated.  (B16,  Rl). 

The  appropriate  distribution,  of  course,  must  be 
selected  on  the  basis  of  historical  knowledge 
about  the  expected  distribution  of  a process.  A 
method  for  programing  uniformly,  distributed 
random  numbers  and  also  random  numbers  from 
the  exponential,  Weibull,  log-normal,  Poisson, 
and  Chi-square  distributions  has  been  developed 
(J6). 

Another  tool  in  today’s  technology  which 
is  finding  usefulness  in  system  availability  and 
maintainability  studies  is  queuing  theory  (B16, 

B7,  K6,  M12).  Basically  this  theory  is  con- 
cerned with  the  optimization  of  the  waiting  time 
(time  to  repair  or  replace)  subject  to  random 
times  of  arrival  (random  times  to  failure).  The 
object  is  to  establish  the  procedure  for  servicing 
the  maximum  number  of  arrivals  in  the  shortest 
possible,  time. 

To  illustrate,  consider  the  equipment 
that  experiences  random  failures  over  its  operating 
and  storage  life.  Certain  periods  of  time  are 
required  to  search  for  and  replace  various 
failed  parts.  The  design  goal  is  to  establish  the 
equipment  configuration  that  minimizes  down 
time.  Queuing  theory  seeks  the  best  combination 
of  search  time  and  replacement  time.  If  data  are 
available  on  time  to  failure,  search  time,  and 
replacement  time,  these  analyses  may  be  car- 
ried out  effectively.  If  appropriate  data  are 
unavailable,  realistic  results  often  may  be 
obtained  by  simulating  distributions  based  on  the 
failure  rates  of  the  parts  or  modules. 

If  the  future  probability  states  of  an  equip- 
ment depend  only  on  the  immediate  past  history, 
then  the  process  is  Markovian  (B2).  Any  equip- 
ment whose  parts  fail  approximately  according  to 
an  exponential  distribution  can  be  described  as  a 
stationary  Markov  process.  A non- stationary 
Markov  process  exists  where  the  failure  rates 
change  with  time.  Markovian  techniques  can  be 
used  to  consider  the  effects  of  both  component 
drift  and  catastrophic  failure  (B19,  K16). 

Among  other  advanced  analysis  proce- 
dures which  might  be  mentioned  are: 

(a)  The  use  of  vector  analysis  techniques 
to  study  the  reliability  of  multicomponent  struc- 
tures in  series  and  parallel  configurations  (BIO). 


393 


(b)  The  application  of  Baye1  s theorem 
to  reliability  (B3,  Ml 5)* 

(c)  The  application  of  various  distri- 
butions! their  density  functions  and  variances, 
means,  failure  rates,  etc,  (H6). 

The  advanced  mathematical  and  statistic- 
al techniques  useful  in  reliability  prediction  are 
generally  so  complex  that  it  is  impossible  to 
present  an  adequate  description  of  their  appli- 
cation, function  and  value  in  this  survey  paper. 
The  reference  documents  cited  can  provide  the 
reader  with  more  information  on  these  methods. 


Other  Prediction  Techniques 

The  literature  survey  carried  out  in  con- 
junction with  the  preparation  of  this  paper  re- 
veals that  almost  all  the  prediction  techniques 
fall  into  the  categories  discussed  in  Sections  Z, 

3,  and  4,  Of  the  remaining  techniques,  several 
deserve  mention  because  of  their  unique  approach 
and  possible  application  to  various  situations 
which  the  engineer  may  encounter. 

One  paper  {K5}  describes  three  techniques, 
the  first  two  of  which  are  reported  to  be  in  cur- 
rent use.  The  first  of  these,  "Predicting  Reli- 
ability by  Using  a Standard,  " leads  to  the  devel- 
opment of  "Relative.  Complexity  Factors"  which 
serve  as  a measure  of  the  relative  unreliability 
of  specific  parts  as  compared  to  the  unreliability 
of  some  standard,  unity -complexity -factor  part. 
The  second  method,  "Predicting  Reliability  by 
Using  Rating  Factors"  results  in  the  tabulation 
of  rating  factors  based  on  engineering  judgment, 
manufacturing  complexity,  mean-life  data, 
state-of-the-art,  and  other  information  which 
might  affect  reliability.  It  is  suggested  that 
several  groups  of  engineers  be  asked  to  develop 
rating  factors  for  the  same  parts  and  then  a 
composite  set  of  average  values  be  derived  for 
use  in  prediction  studies.  The  third  method, 
"Predicting  Reliability  by  Relative  Utility  Eval- 
uation, 13  is  based  on  the  computation  of  a "Kn 
factor  for  each  device  where  K is  the  product  of 
cost  times  weight  times  volume.  Failure  data 
from  a variety  of  electronic  and  mechanical 
subsystems  are  used  to  demonstrate  that  the 
associated  "K"  factors  are  useful  predictors  of 
relative  reliability. 

Another  approach  to  predictions(PS)  is  to 
compute  the  over -all  reliability  as  a product  of 
the  design  reliability  times  the  component  reli- 
ability times  the  reliability  of  fabrication.  Tech- 
niques for  estimating  the, latter  two  expressions 
in  this  product  are  described, 

A third  paper  (R14),  which  perhaps  could 
have  been  included  in  Section  4 of  this  survey, 
suggests  an  approach  to  system  analysis  which 
would  organize  engineering  design  information 
and  data  on  component  performance  in  a way 
suitable  for  the  application  of  probability  theory 
and  the  techniques  of  mathematical  statistics. 


This  approach  is  shown  to  be  particularly  signif- 
icant wlien  effects  such  as  combined  environment, 
interdependence  of  failures,  and  confidence 
intervals  for  performance  characteristics  must 
be  considered. 

Use  and  Validity  of  Reliability  Prediction 

Throughout  this  paper,  it  has  been 
tacitly  assumed  that  the  development  of  a reli- 
ability prediction  results  in  valid  information 
that  is  distinctly  useful  in  a design  program. 
Several  authors  (B18,  L6,  W$,  W9)  have 
questioned  this  assumption;  but  with  the  excep- 
tion of  one,  they  have  concluded  that  when  pre- 
dictions are  developed  properly,  using  suffi- 
ciently accurate  basic  information,  the  results 
are  useful.  Others  (B8,  FI,  T6)  have  pointed 
to  the  conditions  for  making  a useful  prediction 
and  their  resulting  value  in  system  analysis. 
Briefly,  predictions  have  been  found  to  be  useful 
and  valid,  from  a designer's  point  of  view,  for 
obtaining: 

(a)  An  absolute  estimate  of  the  inherent 
reliability  of  equipment. 

(b)  Relative  evaluations  of  the  reliability 
of  alternative  design  approaches, 

(c)  Information  on  "weak  links,  11  as  an 
aid  to  design  improvement. 

From  a manager's  point  of  view,  predictions 
are  useful  for: 

(1}  Establishing  adequacy  of  proposed 
design  at  time  of  bidding, 

(Z)  Measuring  conformance  to  reliability 
specifications? 

(3)  Planning  reliability  test  programs; 

in  particular,  estimating  duration  of  test  programs 
as  an  aid  in  preparation  of  schedules  and 
budgets, 

(4)  Analyzing  design  improvements. 

Uses  (1),  (Z),  and  (3)  relate  generally  to  (a),  or 
the  obtainment  of  an  absolute  estimate  of  the 
inherent  reliability,  whereas  (4)  relates  to 
items  (b)  and  (c). 

One  of  the  basic  reasons  for  developing 
reliability  prediction  techniques  was  to  provide 
means  for  estimating  the  reliability  of  a device 
from  design  data  in  order  to  obtain  a reasonable 
measure  of  the  adequacy  of  the  design  in  terms 
of  the  specification  or  use  requirements.  To 
achieve  a prediction  useful  for  this  purpose, 
great  care  must  be  employed  in  both  the  devel- 
opment of  the  mathematical  model  and  the 
choice  of  the  numerical  reliability  data  for  use 
in  the  model.  The  data  must  be  appropriate  to 
the  specific  parts,  the  circuit  and  environmental 
stresses,  and  such  other  factors  as  may  affect 
the  ultimate  reliability.  Several  investigations 


nave  shown  that  agreement  between  predicted  and 
measured  reliabilities  may  be  within  assigned 
confidence  limits.  More  typical  of  the  results 
are  situations  where  the  measured  reliability,  in 
terms  of  mean-time-between-failure,  ranges 
from  one -third  to  two  times  the  predicted  value* 

A variety  of  comparisons  are  discussed  in  the 
literature  (A?,  B2G,  D2,  Gl*  HZ,  Nl,  R6,  Y2, 

V3)  * 

Another  use  of  reliability  prediction  is  to 
obtain  comparative  evaluations  of  alternate 
designs,  or  of  an  existing  design  and  a proposed 
improvement.  In  situations  such  as  these,  if 
the  emphasis  is  put  on  the  comparison  and  not  on 
the  estimation  of  the  absolute  value  of  the  reli- 
ability, the  requirements  for  prediction  are 
relaxed  and  greater  accuracy  may  be  expected. 

To  obtain  this  accuracy,  the  same  basic  rules 
must  be  followed  in  the  analysis  of  the  alternate 
designs;  and  comparable  reliability  data  must  be 
used.  OI  course,  many  variations  in  design  may 
be  studied;  the  literature  gives  particular  atten- 
tion to  the  use  of  prediction  techniques  in  the 
analysis  of  the  effects  of  redundancy  (Bl,  K12, 

M9). 

Perhaps  the  most  valuable  use  of  reli- 
ability prediction  is  in  the  analysis  of  a design  to 
establish  its  weakest  links  from  the  point  of  view 
of  reliability,  as  an  aid  in  design  improvement. 
The  simplest  approach  in  this  regard  is  merely 
to  make  gross  comparisons  between  the  reli- 
ability of  various  modules  in  the  equipment  to 
establish  those  modules  which  exhibit  the  lowest 
reliability.  As  the  complexity  of  a system  grows, 
a simple  inspection  of  the  results  of  the  predic- 
tion may  not  be  adequate.  Under  these  circum- 
stances, a useful  procedure  is  to  evaluate  the 
partial  derivatives  of  the  reliability  formula  for 
the  equipment  with  respect  to  the  reliability  of 
its  constituent  parts  to  establish  which  module 
reliabilities  can  cause  the  greatest  change  in 
equipment  reliability  {B13,  L3),  More  advanced 
mathematical  techniques,  some  of  which  are 
described  briefly  in  Section  4,  also  are  useful  in 
this  regard  either  singly  or  in  conjunction  with 
computer  studies. 

Concluding  Remarks 

As  noted  in  the  introduction,  the  purpose 
of  this  paper  is  to  provide  a compendium  of  in- 
formation useful  to  an  engineer  in  selecting  the 
reliability  prediction  technique  appropriate  to 
his  requirements.  In  fulfilling  this  purpose  we 
have  evolved  a guide  to  those  basic  techniques 
which  have  received  reasonably  wide  acceptance 
and  have  listed  a considerable  number  of  refer- 
ences which  have  received  reasonably  wide 
acceptance  and  have  listed  a considerable  number 
of  references  which  may  be  consulted  for  further 
information. 


hypothesized  and  older  techniques  are  being 
substantiated  and/or  improved.  Therefore,  we 
offer  this  work  as  a stepping  stone  from  the  old 
to  the  new  with  the  hope  that  it  will  aid  many 
groups  in  obtaining  maximum  benefit  from  the 
current  technology  as  the  need  for  reliability 
prediction  increases  for  both  military  and  com- 
mercial products. 

The  authors  will  welcome  correspondence 
from  any  who  wish  to  aid  in  maintaining  this 
compendium  complete  and  up  to  date.  To  facil- 
itate the  utilization  of  correspondence,  it  is 
requested  that  a copy  of  any  communication, 
including  enclosures  thereto,  be  sent  to  each 
author. 


The  authors  gratefully  acknowledge  the 
assistance  rendered  by  many  who  responded  to 
informal  requests  for  information  on  publications 
related  to  reliability  prediction.  In  particular, 
they  appreciate  helpful  letters  and  comments 
received  from  Messrs,  I.  Doshay,  G,  R, 
Grainger,  H.  J,  Kennedy#  C,  A,  Krohn,  Rp  E. 
Moe,  E,  J.  Nucci,  L.  J.  Faddison,  and  E. 

She c ter.  Further,  they  wish  to  thank  the 
authors  of  earlier  papers  on  this  subject  whq 
through  the  inclusion  of  bibliographies  in  their 
papers,  provided  guides  to  earlier  articles  on 
this  subject.  If  articles  of  significance  have  not 
been  referenced,  their  authors  are  asked  not 
to  take  offense  but  rather  to  provide  information 
that  will  facilitate  the  correction  of  the  omission. 


Bibliography 

1,  Armed  Services  Technical  Information  Agency, 
M Bibliography  on  Reliability,  " (On  file  cards, ) 

2,  Institute  of  Technology,  Air  Univ,  USAF, 

11  Reliability,  A Subject  Bibliography,  11  by 
Tibor  Vmeze,  Tech,  Report  No.  61-1,  Feb. 

23,  1961, 

3*  Office  of  Technical  Services,  "Reliability  and 
Quality  Control  - Selective  Bibliography,  11 
Dept,  of  Commerce,  Report  No,  SB  40 5, 

19 SO  - I960. 

4.  Rand  Corp.  , "Rand  Publications  on  Reliability," 
Report  No,  RM2613,  July  15,  I960,  compiled 
by  D,  S.  Stoller. 

5.  U.  S.  Navy  Electronics  Laboratory,  UNEL 
Reliability  Bibliography",  May  1956  with 
supplements,  OTS  FB121838  and  PB121B38S. 

6.  "Literature  Guide  on  Failure  Control  and  Re- 
liability", Capt,  W,  F*  Luebbert,  Signal  Corps 
Tech.  Report  13,  December  31,  1956,  Stanford 
Electronics  Lab.,  Stanford  Univ.  (contract 
NOnr  225(24),  NR373-3  60), 


As  is  well  recognized,  reliability  engi- 
neering technology  is  dynamic,  constantly  growing 
and  expanding,  so  that  even  as  these  words  are 
written,  new  techniques  for  prediction  are  being 

395 


A1  Abhyander,  S.  , 11  Investigation  of  Mathemat- 
ical Methods  for  the  Analysis  and  Synthesis 
of  Computer  Circuits",  Sept.  1956,  ASTIA 
AD110120. 

A2  Acheson,  M.  A.  , "Electron  Tube  Life  and 

Reliability",  Sylvania  Electric  Products  Inc. 
1956,  Chapt.  V7  “ 

A3  Aeronautical  Radio,  Inc.  , "Investigation  of 
Electronic  Equipment  Reliability",  Air 
Force  Reliability  Assurance  Program,  Pro- 
gress  Report  No.  1,  Feb.Zl5,  1956. 

A4  AGREE,  "Reliability  of  Military  Electronic 
Equipment " , Office  of  Asst.  Sec.  of  Defense, 
June  4,  1957. 

A5  Albrecht,  N.  and  Pascucci,  D.  , "Technique 
for  the  Physical  Survivability  Analysis  of  a 
Communication  Network" , Proc.  5th  Nat'l 
Symp.  on  Global  Communications . 

A6  Allen,  W.  R.  , Tick,  L.  J.  , Woodbury,  M.  A.  , 
"Some  Mathematical  and  Statistical  Tech- 
niques Useful  in  Reliability  Analysis",  Proc. 
4th  Nat'l  Symp.  Rel.  and  Q.  C.  , Jan.  6^F]  ~ 

I^^7^p7.63C68. 

A7  ARinc  Research  Corporation,  "Yearly  Review 
of  Progress",  July  15,  1966,  Pub.  No.  101- 
28-166. 

A8  Army  Ordnance  Missile  Command,  "AOMC- 
Contr actor  Reliability  Conference",  Red- 
stone Arsenal,  Dec.  16,  1958. 

B1  Balaban,  H.  S.  , "Some  Effects  of  Redundancy 
on  System  Reliability",  Proc.  6th  Nat'l  Symp. 
Rel  and  Q.  C.  , Jan  11-13,  I960,  pp.  388-402. 

B2  Barlow,  R.  E.  and  Hunter,  L.  C.  , "Mathemat- 
ical Models  for  System  Reliability",  Sylvania 
Electronic  Defense  Labs,  Report  No.^EDL-  ~ 
E 35.  , Aug.  11,  1959. 

B3  Bazovsky,  I.  , "Reliability:  Theory  and 
Practice",  Prentice  Hall,  1961. 

B4  Bear,  J.  C,  , Elements  of  Reliability  Pre- 
diction", ARINC  Research  Corp.  , Publ. 

No.  98,  Oct.  1,  1956. 

B5  Bellman,  R and  Dreyfus,  S.  , "Dynamic  Pro- 
gramming and  the  Reliability  of  Multicom- 
ponent Devices",  The  Rand  Corporation, 
Report  No.  P-1139,  Sept.  10,  1959. 

B6  Benner,  A.  H.  and  Meredith,  B.  , "Designing 
Reliability  into  Electronic  Circuits",  Proc. 
Nat'l  Electronics  Conference,  Vol.  10,  1954 
pp.  137-145  (also  RCA  Report  EM-4208). 

B7  Bharucha-Reid,  A.  T.  , "Elements  of  the 
Theory  of  Markov  Processes  and  Their 
Applications",  McGraw-Hill  Book  Co.  , Inc. 
I960.  " 

B8  Bird,  G.  T.  , nOn  the  Basic  Concepts  of  Re- 
liability Prediction",  Proc.  7th  Nat'l  Symp. 
Rel  and  Q.  C.  , Jan  9-U>  1961,  pp.  51-55. 

B9  Bird,  G.  T.  , "On  Reliability  Prediction  in 
Satellite  Systems",  ARINC  Research  Corp. 
Pub.  No.  4226-1-20 57~May T9 60i 

B10  Birnbaum,  Z.  W.  , Esary,  J.  D.  , and  Saun- 
ders, S.  C.  , "Multi -Component  Systems  and 
Structures  and  Their  Reliability",  Techno - 
metrics,  Vol  3,  No.  1,  Feb.  19 61, 


Bll  Black,  G.  "A  Critical  Survey  of  Electronic 
Component  Failure  Rates",  Sylvania  Elec  - 
trie  Products  Inc.  , Mtn.  View,  Calif.  , Tech. 
Memo  ED1-M175,  Jan  31,  1959  (contract  DA 
36-039  SC78281). 

B12  Blanton,  E.  , "Reliability  Prediction  Tech- 
nique for  Use  in  Design  of  Complex  Systems" 
Hycon  Eastern,  Inc,  , Report  No.  AV7M, 

Jan  21,  1957.  Also  paper  by  same  title, 

IRE  Nat'l  Convention  Record,  Vol  5,  Part 
10,  1957.  Condensation  of  paper  published 
as  "Reliability -Design  Technique  for  Com- 
plex Systems] ! Electronic  Design,  Vol.  5, 
No.  17,  Sept.  1,*W 

B13  ’Blanton,  H.  E.  , " Reliability -Sensitivity- 
Function  Analysis  ",  Electronic  Design, 

Vol.  6,  No.  4,  Feb.  19,  1958.  " 

B14  Boeing  Company  Aerospace  Division, 

"Reliability  Manual",  (revised  to  8~l~6l) 
Document  No.  D2-3246. 

B15  Bosinoff,  I.  and  Klion,  J.  , "Development  of 
New  Prediction  Techniques",  Proc.  8th 
Nat'l  Symp.  Rel  and  Q.  C.  , Jan  9-11,  T962. 

Bl6  Bosinoff,  I.  , Jacobs,  R.  , Fradette,  D.  , 
"Mathematical  Simulation  Study",  Tech- 
nical Report,  Sylvania  Electronic  Systems, 
Waltham,  Mass.~Oct.  1,  1961. 

B17  Bosinoff,  I.  "Design  Goal  for  Reliability", 
Proc.  7th  Nat'l  Symp.  Rel  and  Q.  C.  , Jan. 
9-117” 19 61,  pp.  340 -343 . 

B18  Boyes,  W.  E.  , "The  Practicality  of  Predict- 
ing Reliability  Numbers",  Proc.  6th  Nat'l 
Symp.  Rel  and  Q.  C.  , Jan  11-13,  I960,  pp. 
2B7TZff5: 

B19  Brender,  D.  M.  and  Tainiter,  M.  , "A 

Markovian  Model  for  Predicting  the  Relia- 
bility of  an  Electronic  Circuit  from  Data  on 
Component  Drift  and  Failure  ",  IRE  Inter  - 
national  Convention  Record,  Vol.  9*  Part- 
6,  19  61,  pp.  230 - 241. 

B20  Brown,  H.  B,,  Fredrick,  W.  C.  , Kennedy, 

H.  J.  , "Improved  Techniques  for  Design- 
Stage  Prediction'  ',  Air  Force  Reliability 
Assurance  Program,  Progress  Report  No. 

2,  Vol.  1,  Arinc  Research  Corp.  , Pub. 

No.  110-1-13  6;  April  1,  1959. 

B21  Buehler,  R.  J.  , "A  Study  of  the  Accuracy 
and  Reliability  of  Compound  Circuits", 

Sandia  Corp.  , Report  No.  SC-2324(TR) 

I. ,  May  13,  1952. 

Cl  Cahn,  A.  S.  , "Reliability,  Quality  Control 
and  Simulation",  The  Rand  Corp.  Report 
No.  P-1623,  Mar ch  2,  196 9 7 

C2  Carhart,  R.  R.  , "Reliability  in  Guided 

Missile  Systems",  The  Rand  Corp.  Report 
No.  P-315,  July  7,  19ZZ 

C3  Carhart,  R.  R.  , "A  Current  Status  of  El- 
ectronic Reliability  Problem",  The  Rand 
Corp.  report  No.  RM-1131,  Aug  14,  1953. 

C4  Christian,  J and  Hollander,  K.  W.  , "Rel- 
iability of  Switching  Mechanisms",  ARINC 
Research  Corp.  Pub.  No.  125-1-203,  Jan. 

19 61.  (Also  published  as  Rome  Air  Develop- 
ment Center  RADC- TR-60 -239.  ) 


396 


C5  Christopher,  G,  F.  , Karmiol,  E ■;  D.  , Yout- 
cheff , J.  S,  , ’’Prediction  of  Missile  System 
Survival  in  a Vibration  Environment”, 
Environmental  Quarterly,  Vol.  5,  No.  1, 

Jan  1959.  ~ 

C6  Chukreev,  Malikov,  Polovko,  Romanov, 

"Fundamentals  of  the  Theory  and  Comput- 
ation of  Reliability”,  Sudpromgiz,  1959, 

(Book  in  Russian), 

C7  Connor,  J.  A.  , "A  Systematic  Plan  for  Pre- 
dicting Electronic  Equipment  Reliability”, 
Proc.  195  6 Electronic  Component  Conf.  , 

195V. 

C8  Connor,  J.  A,  , ” Prediction  of  Reliability”, 
Proc.  6th  Nat'l  Symp.  Rel  and  Q.  C.  , Jan. 
11-13,  I960,  pp,  134-154'. 

C9  Crawford,  J.  R.  , "Estimating  Reliability”, 
Transactions  Middle  Atlantic  Region  and 
Aircraft  and  Missiles  Div.  9th  Annual~Conf. 

ASQC 195  9T 

CIO  Creveling,  C.  J.  , ” Increasing  the  Reliability 
of  Electronic  Equipment  by  the  Use  of  Re- 
dundant Circuits”,  Naval  Research  Lab.  , 
Report  4631,  Dec.  5,  1955. 

D1  Davis,  D.  J,  , "An  Analysis  of  Some  Failure 
Data”,  The  Rand  Cor p.  , Report  No.  P-183 
Feb.  12,  1952. 

D2  Davis,  R.  A.  , Wahrhaftig,  W,  , "Reliability 
Predictions,  A Case  History”,  IRE  Trans- 
actions on  Rel  and  Q,  C.  , Vol  RQC-9,  No.  1 
April  i960,  pp.  67-90. 

D3  Davis,  R.  G.  , "Some  Relations  Between  Sys- 
ten  and  Component  Reliabilities”,  Proc.  of 
Joint  Military- Industry  Guided  Missile  Rel. 
Symp.  , Redstone  Arsenal,  Report  No.  OY3, 
Von,  Oct.  15-17,  1956,  pp.  18-1,  -18-9* 

D5  Doshay,  I.,  "Reliability  Analysis  of  Abies  - 
ter  Stage”,  Aerojet  General  Corp.  , Report 
No.  L0358 -01-10,  Sec  III,  Sept.  15,  I960. 

D 6 Doshay,  I.  "Reliability  Monitoring  Report 
for  Abies  ter  Stage”,  Aerojet  General  Corp. 
Report  No.  2042,  June  1961. 

D7  Dreste,  F.  E.  , "Circuit  Design  Concepts  for 
High  Reliability”,  Proc.  6th  Nat’l  Symp. 

Rel.  and  Q.  C.  , Jan.  11-13,  I960,  pp. 121-133. 

D8  Dreste,  F.  E.  , "Statistics!  Key  to  Reliable 
Military  Electronic  Design”,  Military  El- 
ectronics,  Vol.  VI,  No.  3,  Mar.  195  9, 
pp.  37  6,  8. 

D9  Dreyfus,  S.  (See  B5). 

DIO  Driggs,  D.H.  , "Monte  Carlo  Method  of 

Operational  Research",  May  1955,  ASTIA 
AD138061. 

Dll  Durand,  T.  S.  and  Johnston,  D.E.,  ” A ^ 

Compilation  of  Component  Field  Reliability 
Data  Useful  in  Systems  Preliminary  Design" 
WADD  TR60  - 330,  ASTIA  AD3  228  22. 

El  Earles,  D.  R.  , "Dynamic  Reliability  Apport- 
ionment", Martin-Denver,  Report  No.  M60- 
43,  Nov.  19 6(37 

E2  Earles,  D.  R.  , "Component  Part  Failure 

Rates  Associated  with  Installation  Environ- 
ment”, Martin-Denver,  Report  No.  M60-47, 
Dec.  19607 


E3  Earles,  D.  R.  , "Reliability  Growth  Predict- 
ion During  the  Initial  Design  Analysis”,  Pro- 
ceedings 7th  Nat’l  Symp.  Rel  and  Q.  C.  , Jan. 
9-11,  ppT3S7T3W: 

E4  Earles,  D.  R.  , "Reliability  Application  and 
Analysis  Guide”,  Martin-Denver,  Report  No. 
Ml- 60 -54  (Rev.  1),  July  1961  (Failure  Rate 
Handbook). 

E5  Esary,  J.  D.  (See  BIO). 

E6  Estes,  C.  , "Study  of  Electronic  Equipment 
Life  Prediction",  Third  Quarterly  Progress 
Report,  Motorola  Inc.  , April  30,  I960, 

ASTIA  AD  243  5 81. 

E7  Estes,  C.  , "Study  of  Electronic  Equipment 
Life  Prediction",  Fourth  Quarterly  Progress 
Report,  Motorola  Inc.  , July  31,  I960, 

ASTIA  AD24426R. 

E8  Estes,  S.  Ee  , "Methods  of  Determining 

Effects  of  Component  Redundancy  on  Relia- 
bility ",  MIT,  Aug  1958,  ASTIA  AD205965. 

FI  Farrier,  J.  M.  , "Designing  in  the  Dark", 
Proc.  6th  Nat’l  Symp.  Rel.  and  Q.C.  , Jan. 
11-13,  I960,  pp.  “431-437. 

F2  Feinauer,  E.  , "Monte  Carlo  Evaluation  of 
Single  Scattering  Integrals  ”,  March  1961, 
ASTIA  AD472  51. 

F3  Firstman,  S.  I.  , "The  Application  of  Random 
Sampling  Simulation  to  Reliability  Estimat- 
ing", Proc.  3rd  Exploratory  Conf.  on 
Mis sile  Model  Design  for  Rel.  Prediction, 
White  Sands,  N.  M.  , April  20- 2 3, ”195 9- 
(See  also  the  Rand  Corp.  Report  no.  P-1638, 
March  16,  1959. ) 

F4  Firstman,  S.  I..,  "Monte  Carlo  Models  for 
Estimating  Reliability:  An  Exploratory  Ana- 
lysis”, The  Rand  Corp.  , Report  No.  RM 
2149,  June  5,  I95F,  ASTIA  AD213036. 

F5  Firstman,  S.I.  , "Reliability  Estimating 

by  the  use  of  Random  Sampling  Simulation", 
The  Rand  Corp.  , Report  No.  P-1521,  Oct. 

Zb,  19~5S“ 

F6  Fradette,  D.  (see  Bl6) 

F7  Frantik,  R.  O.  , "The  Determination,  Appli- 
cation and  Limitations  of  Circuit  Reliabil- 
ity Equations",  Sandia  Corp.  Report  No. 
SC-3288(TR),  April  26,  1954. 

F8  Fredrick,  W.  C.  (See  B20) 

F9  Friddell,  H.  G.  , and  Jacks,  H.  G.  , "System 
Operational  Effectiveness  (Reliability,  Per- 
formance, Maintainability)",  Proc.  5th 
Nat’l  Symp.  on  Rel.  and  Q.  C.  , Jan  12-14, 
1959,  pp.  179-196.  Also  published  in  Re- 
search and  Development  Reliability,  Elec- 
tronics Division,  ASQC,  Feb.  197>1,  pp.  76- 

iis:  ” 

G1  Gates,  C.R.  "The  Reliability  of  Redundant 
Systems",  JPL~California  Institute  of  Tech- 
nology,  Memo  2CR76,  Aug.  27,  1952. 

G2  Gray,  H.  J.,  "An  Application  of  Piecewise 

Approximations  to  Reliability  and  Statistical 
Design”,  Proc.  of  IRE,  Vol.  47,  No.  7, 

July  1959. 


397 


Hi  Harris,  T.  E.  , "A  Model  for  the  Reliability 
of  Complex  Mechanisms  11 , The  Rand  Corp. 
Report  No.  RM302,  Dec.  5/1949’  " ^ 

H2  Harris  V*  and  Tall,  M,  M.  , " Progress  Re- 
port on  Reliability  Prediction",  Proc,  2nd 
Nat1!  Sympf  on  Rel.and  Q.  C.  , Jan  9-11,  195  6 
pp.  99-121. 

H3  Harshbarger,  B,  , Editor,  Proceedings  of  the 
Statistical  Techniques  in  Missile  ' Evaluation"- 
Symposium,  Director  of  Guided  Missiles, 
Office  of  Secretary  of  Defense  and  Office  of 
Ordnance  Research,  1958. 

H4  Hedetniemi,  C,  J,  and  Herd,  G.  R.  , "Fre- 

dieting  the  Reliability  of  Airborne  Equipment" 
Electronic  Industries  and  Tele- Tech.  , Sept. 

mK ” ~~ 

H5  Herd,  G.  R.  (See  H4) 

H6  Herd,  G.  R.  , "Some  Statistical  Concepts  and 
Techniques  for  Reliability  Analysis  and  Pre- 
diction", From  5th  Natl  Symp.  ReL  and  Q,  C. 
Jan.  12-14,/ 195  9/ ~~PP*  126-13  6. 

H7  Herd,  G.  R.  , "Estimation  of  Equipment  Re- 
liability11, ARINC  Research  Corg,  , Pub. 

No-  68,  May  26,  1955. 

H8  Herd,  G,  R.  , "Estimation  of  Reliability 

Functions",  ARINC  Research  Corp.  , Pub. 

No,  87,  May  I,  195  6. 

H9  Herd,  G,  R,  , "Application  of  Statistical 

Methods  in  Evaluating  Performance  of  Elec- 
tronic Equipment",  Annual  Convention  Trans- 
actions,  ASQC,  1953. 

H1G  Hershey,  J.  H.  , "Reliability  and  Maintain- 
ability of  Military  Electronic  Equipment", 
presented  at  3rd  Signal  Maintenance  Symp,  , 
Ft.  Monmouth,  N,  J.  , April  14-16,  1959, 

(Data  included  in  this  paper  from  handbook 
Military  Reliability  Information,  Bell  Tele- 
phone  Laboratories? ) 

Hll  Hinrichs,  R,  H.  , "A  Second  Statistical  Method 
for  Analyzing  the  Performance  Variation  of 
Electronic  Circuits",  Convair,  San  Diego, 
Report  ZX- 7-010,  Feb.T5,  195  6. 

H12  Hollander,  K,  W.  (See  C4) 

H13  Holtzman,  C.  W.  Jr.  and  Marshall,  W,  E.  , 

"A  New  Method  of  Communication  Between 
Engineer  and  Mathematician  Aids  System 
Reliability  Prediction",  From  6th  Natl. 

Symp,  Rel.  and  Q,  C,  , Jan.  ll-13,  I960, 

pp.  403-408. 

H14  Horne,  R.  C.  Jr.  and  Welker,  E.  L, , "Concepts 
Associated  with  System  Effectiveness", 

ARINC  Research  Corp.  , Pub.  No.  123-4-163 
July  l57~l 9"FG» 

MS  Hosford,  J.  E.  , "Measures  of  Dependability" 
Phil co  Western  Development  Lab.  , Palo 
Alto,  May  19^5* 

KL6  Howard,  W.  J.  , "Chain  Reliability*  A Simple 
Failure  Model  for  Complex  Mechanisms", 

The  Rand  Corp.  , Report  No.  RM-1058, 
March-!!?,  1953. 

HIT  Howard,  W.  J.  , "Some  Physical  Qualifications 
for  Reliability  Formulas",  The  Rand  Corp, 
Report  No.  RM-724,  June  1,  195  6, 

HI 8 Hunter,  S.  (See  B2). 


J3  Jaffe,  H.  and  Rosenthal,  S.  A.  , and  Katz,  M, 

"A  Measure  of  Reliability  and  Information 
Quality  in  Redundant  Systems",  IRE  Trans- 
actions on  Rel  and  Q.  C.  , Vol.  RQC-10,  No. 
lt  March  1961,  pp.  29-37, 

J4  Johnston,  D.  E.  (See  Dll) 

J5  Johnston  and  Macruer,  "A  Summary  of 
Component  Failure  Rate  and  Weighting 
Function  Data  and  Their  Use  in  Systems 
Preliminary  Design",  WADC  TR57-668, 

Dec.  1957,  ASTIA  AD142120. 

J6  Juncosa,  "Random  Number  Generation  on 
the  BRL  High  Speed  Computing  Machine", 
Ballistic  Research  Lab.,  Report  No.  855, 
May~3,  19^3 « 

J7  Jaffe,  H.  and  Katz,  M,  D, , and  Rosenthal, 

S.  A.  , "Designing  Reliability  into  the  B-58 
Bombing -Navigation  System",  Prom  7 th 
Natl  Symp.  Rel  and  Q.  C.  , Jan  9-11,  1961, 
pp.  27 3-282. 

K1  Kennedy,  H.  J.  (See  B20) 

K2  Karmiol,  E.  D.  (SeeC5) 

K3  Katz,  M.  D.  (See  J3) 

K4  Katz,  M.  D,  (See  J7) 

K5  Kaufmann,  M.  L and  Kaufman,  R.  A.  , "Pre- 
dicting Reliability",  Machine  Design,  Aug. 

18,  I960,  pp.  178-18C 

K6  Keilson,  J,  and  Kooharian,  A.  , "On  Time 
Dependent  Queuing  Processes",  Annals 
Math e ma  ti  c al  Sta  ti sties,  Vol,  31/  19  60. 

K7  Keister,  Ritchie,  and  Washburn,  "The 
Design  of  Switching  Circuits",  D.  Van 
Nostrand  Co.  , New  York,  195  2, 

K8  Kirby,  M*  J.  , and  Powell,  H.  R.  , "Pre- 
diction of  Missile  Reliability",  Sperry 
Engineering  Review,  July^Aug.  1955/ 

K9  Kirkpatrick,  I.  , ^Predicting  Reliability 
of  Electro- Mechanical  Devices",  Prom 6th 
Na tl  Symp . Rel.  and  Q . C . , Jan  11-13,  I960 
pp.  272-281. 

K10  Kleiner nmn,  M.  M.  and  Weiss,  G,  H.  , "On 
The  Reliability  of  Networks",  Prom  of  Natl 
Electronics  Conf. , Vol.  10,  1954j  pp.  128-13 6. 
Kll  Klion,  J.  (See  B15) 

K12  Kneale,  S.  G.  , "Reliability  of  Parallel  Sys- 
tems with  Repair  and  Switching",  Prom  7th 
Natl  Symp.  Rel  and  Q.  C.  , Jan.  9-H,  I96l 

pp.  129-135. 

K13  Knight,  C.  R.  , "General  Factors  in  System 
Effectiveness",  Presented  at  EIA  M5  Comm, 
on  Military  Electronics  Sys terns , Wa  sh,  D . C . 

Sept.  26,  1961. 

Kl4  Kochendorfer,  D.  C.  , "Application  of  Theor- 
etical Concepts  in  Reliability  Studies", 

ARINC  Research  Corp.  , Pub.  No.  72,  Sep. 
20,  1955. 

K15  Kirkpatrick,  L,  "Proposed  Procedures  for 
Reliability  Stress  Analysis  of  Mechanical 
and  Electro- Mechanical  Devices",  Report 
No,  176,  Feb.  27,  1958,.  RCA  Victor  Co,, 

Ltd. 

Kl6  Kleiner  man,  M(  M.  and  Weiss,  G.  H.  , "The 

Reliability  of  Sequentially  Operated  Networks1 
IRE  International  Conv,  Record,  Vol,  9, 

Part  6,  1961,  pp,  222-229. 


J1  Jacks,  H.  G,  (See  F9) 
J2  Jacobs,  R*  (See  B16) 


398 


LI  Lacey,  H.  E.  , "A  Natural  Approach  to  the 
Calculation  of  Systems  Reliability",  U.  S. 
Naval  Ordnance  Labs.  , White  Oaks,  Mary- 
land, Oct.  31,  1957,  ASTIA  AD150783. 

L2  Landers,  R.  R.  , "Method  for  Measuring, 

Analyzing  and  Predicting  Reliability  and  Per- 
formance of  Large,  Complex  Electronic 
Equipment",  First  Technical  Guided  Missile 
Symp.  , Los  Angeles,  June  21,  1956. 

L3  Lipp,  J.  P.  , "Topology  of  Switching  Elements 
vs.  Reliability 11 , IRE  Trans,  on  Rel  & Q.  C., 
No.  PGRQC-10,  June  1957,  pp.  21-33. 

L4  Locurto,  C.  A.  , "Reliability  Design  Analysis 
Manual " , General  Electric  Missile  and  Space 
Vehicle  Dept.  , Report  No.  R60SD552,  k/lar. 

11,  I951T 

L5  Luebbert,  W.  F. , "Achieving  Operational 

Effectiveness  and  Reliability  with  Unreliable 
Components  and  Equipment",  IRE  Convention 
Record,  Vol.  4,  Part  6,  195  6,  pp.  41-60. 

L6  Lusser,  R.  , "Predicting  Reliability",  Red  - 
stone  Arsenal,  October  1957. 

L7  Lusser,  R.  , j,A  Study  of  Methods  for  Achiev- 
ing Reliability  of  Guided  Missiles",  Redstone 
Arsenal,  reproduced  from  NAMTC  Technical 
Report  No.  75,  US  NAMTC  Pt.  Mugu,  July 
10,  1950. 

Ml  Madansky,  A.  , "Use  of  Tolerance  Limits  in 
Missile  Reliability  Analysis",  The  Rand  Corp 
Report  No.  RM-2423,  Jan  13, 

M2  Madansky,  A.  , "Approximate  Confidence 

Limits  for  the  Reliability  of  Series  and  Paral- 
lel Systems",  The  Rand  Corp.  , Report  No. 
RM- 2552,  April  4,  I960. 

M3  Madison,  R.  L.  , "An  Analysis  of  the  Effects 
of  Maintenance  on  Part  Replacements", 

Proc.  4th  Natl  Symp.  Rel  & Q.  C.  , Jan  6-8, 

1958,  pp ."19- 2^ 

M4  Malikov  (See  C6) 

M5  Marini,  J.  , Williams,  R.  , "Evaluation  & Pre- 
diction of  Circuit  Performance  by  Statistical 
Techniques",  IRE  Trans,  on  Rel.  & Q.  C.  , 
Vol.  RQC-9,  No.  1,  April  I960,  pp.  40-52. 

M6  Marini,  J.  , Brown,  H.  , and  Williams,  R.  , 

"The  Evaluation  and  Prediction  of  Circuit 
Performance  by  Statistical  Techniques," 
ARINC  Research  Corp.  , Pub.  No.  113,  Feb. 
r4,T95^ 

M7  Marini,  J.  and  Williams  R.  T.  , "The  Eval- 
uation and  Prediction  of  Circuit  Performance 
by  Statistical  Techniques",  Proc.  Joint  Mil- 
itary-Industry Guided  Missiles  Rel.  Symp. 

Pt.  Mugu,  Nov.  5,  1957. 

M8  Marshall,  W.  E.  (See  H13). 

M9  McLean,  J.  B.  and  Moskowitz,  F.  , "Some 

Reliability  Aspects  of  Systems  Design",  IRE 
Convention  Record,  Vol.  4 Part  6,  Mar.  195 6 
pp.  60-59.  Also  paper  by  same  title,  IRE 
Trans,  on  Rel.  & Q.  C.  No.  PGRQC-8,  Sept. 
195  6,  PP.  vtjf; 

M10  Meltzer,  S.  A.  , "Designing  for  Reliability", 
IRE  Trans,  on  Rel.  & Q.  C.  , No.  PGRQC-8, 
Sept.  195  6,  pp.  3 6-43. 

ML1  Meredith,  B.  (See  B6) 


M12  Morse,  P.  M.  , "Queues,  Inventories  and 
Maintenance",  John  Wiley  & Sons,  1958. 

M13  Moskowitz,  F.  (See  M9) 

M14  Moskowitz,  F.  , "Statistical  Analysis  of  Re- 
dundant Systems",  Lab  for  Electronics, 
Boston,  Mass.  March  29»  I960. 

M15  Mosteller,  F.  , Rourke,  R.  E.,  Thomas,  G. 

B.  Jr.  , "Probability  with  Statistical  Appli- 
cations", Addison- Wesley  Pub.  Co.  , Inc. 

1961. 

M16  Motorola,  Inc.  , Western  Military  Electronics 
Center,  "Reliability  and  Components  Hand- 
book", Revised  1-30-59. 

N1  Naresky,  J.  J.  , "Reliability  Prediction  and 
Test  Results  on  USAF  Ground  Electronic 
Equipment",  RADC-TN-58-177,  July  1958, 
ASTIA  AD148794.  Also  IRE  Natl  Conv. 
Record,  Vol.  6,  Part  6,  1958,  pp.  16^-177. 

N2  Nozick,  S.  , "Reliability  Estimation,  Pre- 
diction and  Measurement",  Electromechan- 
ical Design,  Jan/Feb.  1958. 

01  O'Leary,  W.  J.  , "Product  Design  Assurance 
Basic  Reliability  Concepts",  RCA,  Camden 
N.  J.  , Report  No.  EM- 60-418-75 , Nov.  l6, 
I960. 

02  Ordnance  Corps,  Dept,  of  the  Army  (Relia- 
bility Branch,  Diamond  ordnance  Fuze  Labs) 
"Reliability  Engineering  Notes",  April  I960. 

PI  Pascucci,  D.  (See  A5) 

P2  Philipson,  J.  L.  , "Operational  Reliability 
Model  for  a Reconnaissance  System",  IRE 
Natl  Conv.  Record,  Vol.  7,  Part  6,  March 
1959,  pp.  79-WT~ 

P3  Polovko  (See  M4) 

P4  Polovko,  A.  M.  "On  Computing  the  Reliability 
of  Complex  Automatic  Systems",  Izvestia 
Akad.  Nauk,  Otdel.  Tekh.  Nauk,  Energetika 
i Automatika  No.  5,  174-78,  Sept/Oct.  I960 
(English  translation  published  in  Automation 
Express,  Vol.  3 No.  6,  Feb.  1961,  pp.  37). 

P5  Portz,  K.  E.  , Smith,  H.  R.  , "Method  for  the 
Determination  of  Reliability",  IRE  Trans, 
on  Rel.  k Q,  C.  , No.  PGRQC-11,  Aug.  1957 
pp.  65-73. 

P6  Powell,  H.  R.  (See  K8) 

P7  Price,  H.  W.  , "Reliability  of  Parallel  Elec- 
tronic Components",  Proc.  1st  Symp.  on 
Military  Elec.  Rel.  and  Maintainability 
also  Proc.  5th  Joint  Military  - Indus  try"Symp 
on  Guided  Missile  Reliability. 

R1  Rand  Corp.  "A  Million  Random  Digits", 

Free  Press  cl955. 

R2  Randazzo,  F.  P.  , Stahl,  W.  J.  , "Generalized 
Mathematical  Model  for  Reliability  Studies 
of  Electronic  Equipment  Complexes",  IRE 
International  Conv.  Record,  Vol.  9,  Part  6 
1961,  pp.  216-22T! 

R3  RCA,  "Reliability  Stress  Analysis  for  Elec- 
tronic Equipment",  Report  No.  TR-1100, 

Nov.  28,  195  6.  (Also  issued  as  NAVships 
900-193  and  OTS,  Dept,  of  Comm.  , PB 
131678).  Subsequent  revision  included  in 
section  8,  RADC  Reliability  Notebook, 


399 


R3  (cont)  RADC  TR-58-111,  Sept.  1,  I960, 

ASTIA  AD1488  68,  OTS  PB  161894-1. 

R4  RCA  Service  Co.  , 11  Philosophy  and  Guide- 
lines for  Reliability  Prediction  of  Ground 
Electronic  Equipments'*,  Report  No.  R4-57, 
Oct.  15,  1957,  ASTIA  AJD14855 6. 

R5  RCA  Service  Co.  , "A  Prediction  of  AN/ 
GPX-20  Reliability",  Report  No.  R-3-5  7, 
ASTIA  AD  1485  62. 

R6  TRCA  Service  Co.  , " Prediction  & Measure- 
ment of  Air  Force  Ground  Electronic  Equip- 
ment Reliability",  Report  No.  RADC  TN58- 
307,  Aug.  15,  1958. 

R7  RCA  Victor  Co.  (See  K15) 

R8  Reeves,  T.  C.  , "Reliability- -Predicting 
Thermal  Results",  Military  Electronics, 

July  195  7.  

R9  Ritchie  (See  K7) 

RIO  Romanov  (See  M4) 

Rll  RADC  Reliability  Notebook,  Report  No, 

RADC -TR-58 -111,  rev.  to  ASTIA  AD148868, 
OTS  PB1 61894  and  PB16189TH: 

R12  RADC,  "System  Reliability  Prediction  by 
function",  PR  No.  152097,  Oct.  16,  1961 
and  "System  Effectiveness  Prediction  Model 
PR15  2098,  Oct.  16,  1961. 

R13  RADC,  "A  Technique  for  Estimating  Ball- 
park  Reliability  Figures  by  Tube  Counting", 
Report  No.  RADC  TN-58-81,  Mar.  1958. 
ASTIA  148647. 

R14  Rosenblatt,  J.  R.  , "On  Prediction  of  System 
Performance  from  Information  on  Component 
Performance",  Proc.  of  the  Western  Joint 
Computer  Conf.  Feb  1957,  pp.  85-94.  “ 

R15  'Rosenthal,  S,  A.  (See  J3) 

R16  Rosenthal,  S.  A.  (See  K3) 

R17  Rosner,  N.  , "Systems  Analysis -Non- Linear 
Estimation  Techniques",  Proc.  7th  Natl 
Symp.  Rel.  k Q.  C.  , Jan  9^11,  1961,  pp.  203. 

R18  Ross,  H.  D.  , "Development  of  Advanced 

Circuits  and  Circuit  Reliability  Techniques" 
International  Business  Machine  Co.  , March 
31,  1959,  ASTIA  AD 217664. 

51  Saunders,  S.  C.  (See  BIO) 

52  Scott,  S.R.  "Consideration  of  Deterioration 

Effects  in  Equipment  Reliability  Improve- 
ment Programs",  ARINC  Research  Corp. 

Pub.  No,  119,  May  14,  1958.  Also  Proc. 

Natl  Conf.  on  Aero.  Elec.  May  195lL 

53  Shannon,  Claude,  E.  , "A  Symbolic  Analysis 
of  Relay  and  Switching  Circuits",  Trans. 

of  the  AIEE,  Vol  57,  1938. 

54  Smith,  H.  R.  (See  P5) 

55  Stahl,  W.  J.  (See  R2) 

S6.  Sternberg,  A.  , "Reliability  Trade-Off  Anal- 
ysis Manual",  General  Electric,  Missile  & 
Space  Vehicle  Dept.  Jan  i960. 

57  Stokes,  R.  G.  , ^Handbook  for  the  Prediction 
of  Shipboard  and  Shore  Electronic  Equipment 
Reliability",  Vitro  Labs.,  Report  No.  133, 
April  1961.  (Also  NAVships  93820.  ) 

58  Stokes,  R.  G.  , " Re  suits  of  a Test  of  Relia- 
bility Prediction  Technique  and  Development 
of  a Correlation  Factor  for  Field  vs.  Lab- 
oratory Reliability  Measurements,  " Proc. 

5th  Natl  Symp.  Rel  & Q.  C.  , Jan  12-14,  1959 
pp.'  333-342.  — 


S9  Stoller,  D.  S.  , "A  Failure  Model  for  Equip- 
ment Undergoing  Complex  Operation",  The 
Rand  Corp.  Report  No.  P-927, 

T1  Tainiter,  M.  (See  B19) 

T2  Tall,  M.  M.  (See  H2) 

T3  Taylor,  N.H.,  "Designing  for  Reliability" 
MIT/Lincoln  Lab.  , Report  No.  TR  102, 

Dec.  9,  1955. 

T4  Tick,  L.  J.  (See  A6) 

T5  Tiger,  B.  , "Prediction  of  MTBF  Bounds  in 
Early  Design",  Proc..  6th  Natl  Symp.  Rel. 

&Q.  C.,  Jan  11-13,  I960,  pp.  286-292“. 

T6  Troxel,  D.  I.  & Wuerffel,  H.  L.  , "Design  Re- 
liability Analysis-- A Proven  Technique  for 
Product  Control  and  Enhancement",  Proc. 
6th  Natl  Symp.  Rel  & Q.  C.  , Jan  11-13,  I960, 
J7T^387: 

T7  Tsao,  T.  C.  & Walth/C.  - Editors,  "Elec- 
tron Tube  Life  Factors",  Engineering  Pub- 
lishers, 1959. 

Ul  U.  S.  Government  Printing  Office,  " Monte 

Carlo  Method11,  Proc,  of  a Symp.  sponsored 
by  The  Rand  Corp.  and  Natl  Bureau  of  Stds. 
Los  Angeles,  June  29  and  30,  1949. 

VL  Vitro  Laboratories,  "A  Summary  of  Relia^ 
bility  Prediction  and  Measurement  Guide- 
lines for  Shipboard  Electronic  Equipment", 
Report  No.  98,  April  15,  1957.  (See  S7  also) 
V2  Vitro  Laboratories,  "Techniques  for  Relia- 
bility Measurement  and  Prediction  Based  on 
Field  Failure  Data",  Report  No.  80,  Oct. 

10,  1955.  (See  S7  also) 

V3  Voegtlen,  H.  D.  , "The  RADC  Reliability  Pre- 
diction and  Measurement  Study",  Military 
Elec.  Rel.  & Maintainability  SympT^  RADC 
TR-58 -139B,  Vol.  2,  "Nov. ' 1958,  ASTIA 
AD14895  2, 

W1  Wahrhaftig,  W.  (See  D2) 

W2  Walsh,  C.  (See  T7) 

W3  Washburn  (See  K7) 

W4  Weiss,  G.  H.  (See  K10) 

W5  Weiss,  G.  H.  , (See  K16) 

W6  Welker,  E.  L.  (See  M4) 

W7  White sitt,  J.  , "Boolean  Algebra  and  Its 
Applications",  Addison- Wesley  Pub.  Co. 

1961  ‘ 

W8  Williams,  R.  T.  , "The  Value  of  Design  Pre- 
diction", Proc.  7th  Natl  Symp.  Rel  & Q.  C. 
Jan  9-11,  iW7pp.  375-379. 

W9  Williams,  R.  T.  , " Reliability  Prediction 
Procedures  , Implementing  Reliability 
Control",  5 th  Navy -Industry  Conf.  on  Mat- 
erial  Reliability,  Nov.  1,  2,  19 6l.  : 

W10  Williams,  R.  T.  (See  M5  and  M7) 

Wll  Woodbury,  M.  A.  (See  A6) 

W12  Wuerffel,  H.  L.  (See  T6) 

W13  Wuerffel,  H.  L.  , "Reliability  Theory  and 
Vital  Engineering  Interpretations",  Proc. 
of  the  195  6 Elec.  Comp.  Conf.  195  6. 

W14  Wuerffel,  H.  L.  , "Reliability  Prediction", 
Supplement  of  Newsletter,  Electronics  Div. 
ASQC,  April  l/T^OT; 

Y1  Youtcheff,  J.  S.  , (See  C5) 


400 


HYDRAULIC  CONTROL  RELIABILITY  IN  SPACE  VEHICLES 


By 

A*  B*  Billet 
Senior  Staff  Engineer 
Vickers  Incorporated 
Detroit,  Michigan 


Summary  y-y p f f 

This  paper  is  concerned  with  the  relia- 
bility OF  HYDRAUL I C CONTROLS  ON  PRESENT 
MISSILES  AND  SPACE  VEHICLES*  THE  SPECIAL 
TECHNIQUES  AND  PROBLEMS  THAT  REQUIRED 
SOLVING  ARE  REVIEWED  TO  MEET  THE  HIGH 
RELIABILITY  REQUIREMENTS  OF  THE  CONTROL 
SYSTEMS  OF  THE  MlNUTEMAN,  ATLAS,  POLARIS, 

and  Skybolt  vehicles. 

This  has  resulted  in  the  development  of 

NEW  RELIABILITY  TECHNIQUES  AND  ANALYSES 
TO  MEET  THESE  REQUIREMENTS. 

I NTRODUCT I ON 

IT  IS  HIGHLY  SIGNIFICANT  THAT  AS  WE 
ENTER  OUR  FIFTH  YEAR  OF  SPACE  EXPLORATION 
WE  SEE  CONTINUAL  ADDED  EMPHASIS  BEING 
PLACED  UPON  THE  RELIABILITY  OF  SPACE 
VEH  I CLES. 

With  the  entry  of  man  into  the  space 

ENVIRONMENT  THE  NEED  FOR  RELIABILITY  HAS 
BECOME  EVEN  GREATER.  We  ARE  NOT  ONLY  CON- 
CERNED WITH  THE  MANY  MILLION  DOLLARS  OF 
MONEY  EXPENDITURES,  BUT  NOW  WE  ARE  CON- 
CERNED WITH  RELIABILITY  IN  REGARD  TO  HUMAN 

life.  During  the  latter  part  of  this 

DECADE  WE  WILL  SEE  THE  BEGINNING  OF  LUNAR 
EX  PLORAT I ON. 

It  speaks  well  for  reliability  that  the 
United  States*  first  space  effort,  Explorer 
X,  A 31  *-B.  CYLINDER,  WHICH  WAS  LAUNCHED  ON 

January  31 , 1958,  is  still  in  orbit.  It 

IS  TRULY  SIGNIFICANT  RELIABILITY-WISE  THAT 
THIS  PIONEER  SPACECRAFT  MAY  STILL  BE  IN 
ORBIT  WHEN  MAN  FIRST  SETS  FOOT  ON  THE  MOON 
DURING  THE  LATTER  PART  OF  THIS  DECADE. 


It  IS  HIGHLY  SIGNIFICANT  TO  THESE  VITAL 
SPACE  PROGRAMS  THAT  THE  AEROSPACE  INDUSTRY 
NOW  RECOGNIZES  THAT  RELIABILITY  IS  ONE  OF 
THE  MOST  PERTINENT  PARTS  OF  THESE  PROGRAMS. 

Hydraulic  Controls  in  Space  Environments 

In  respect  to  the  new  problems  and  new 
environment  studies  that  space  travel  HAS 

BROUGHT  ABOUT,  SPECIAL  CONSIDERATION  HAS 
BEEN  GIVEN  TO  FURTHER  THE  DEVELOPMENT  AND 
FURTHER  INCREASE  THE  RELIABILITY  OF  HYD- 
RAULIC CONTROLS  FOR  THESE  SPACE  VEHICLES. 

Figure  1 shows  a summary  of  the  major 

ENVIRONMENTAL  CONDITIONS  THAT  MIGHT  BE 
EXPECTED  IN  THE  NEXT  TEN  YEARS  OF  SPACE 
FLIGHT.  THE  PRELIMINARY  INSTRUMENTATION 
SATELLITES  HAVE  SHOWN  THAT  IN  SOME  CASES 
SOME  OF  THE  ACTUAL  ENVIRONMENTS  ENCOUNTERED 
WERE  CONSIDERABLY  DIFFERENT  THAN  THAT 
PREVIOUSLY  THOUGHT  TO  EXIST.  I BELIEVE 
THAT  MUCH  OF  OUR  FUTURE  EXPLORATION  OF 
SPACE  WILL  BE  BASED  UPON  THE  FACT  THAT  IN 
A PAST  THREE  YEAR  PERIOD  THE  UNITED  STATES 
HAS  LAUNCHED  66  INSTRUMENTATION  SATELLITES. 

The  HYPER-ENVIRONMENTS  THAT  THE  CONTROL 
EQUIPMENT  MUST  BE  DESIGNED  TO  EITHER 
OPERATE  IN,  OR  BE  IN  SATISFACTORY  STATIC 
CONDITION  IN,  INCLUDE  THE  NATURAL  ENVIRON- 
MENTS SUCH  AS  HIGH  TEMPERATURE  AND  TEMP- 
ERATURE SHOCK,  LOW  AMBIENT  PRESSURE,  OZONE 
CONTENT,  RADIATION,  COSMIC  RAYS,  DISASSOCI- 
ATION  (ATOMIC  OXYGEN),  AND  OTHERS. 

Figure  2 shows  possible  projected  space 

VEHICLES  DURING  THE  NEXT  SEVEN  YEARS, 
TOGETHER  WITH  THOSE  OF  THE  PAST  FIVE  YEARS. 

Minimizing  Space  Environments 


I BELIEVE  THAT  1962  WILL  PROVE  TO  BE  ONE 
OF  THE  MOST  PHENOMENAL  AND  ACTIVE  YEARS  IN 

the  Golden  Decade,  I960  to  1970,  of  space 

EXPLORATION.  THE  YEAR  1962  WILL  PROBABLY 
SEE  A TOTAL  OF  5 TO  6 MANNED  ORBITAL  SPACE 
FLIGHTS  WITH  TWO  OF  THESE  PROBABLY  BEING 
OF  THE  18  ORBITAL  TYPE.  Th I S SAME  YEAR  WILL 
PROBABLY  SEE  MORE  THAN  10  MAJOR  LAUNCH 
VEHICLE  TESTS  INCLUDING  THOSE  OF  THE  SCOUT, 

Centaur,  and  Saturn  vehicles. 

Other  space  efforts  will  probably  include 
SIX  communication  vehicles,  five  meteorolog- 
ical, AND  PERHAPS  THE  MOST  SIGNIFICANT  OF 
ALL,  THE  BEGINNING  OF  OUR  LUNAR  EXPLORATION 
WORK  ON  THE  RANGER  PROGRAM. 


One  OF  THE  MAJOR  WAYS  OF  REDUCING  THE 
EFFECTS  OF  THESE  COMBINED  ENVIRONMENTS  IS 
THE  INTEGRATED  PACKAGING  OF  THESE  HYDRAULIC 
CONTROLS  FOR  SPACE  OPERATION.  TYPICAL  OF 
THIS  PACKAGING  OF  EQUIPMENT  IS  SHOWN  IN 

Figure  3,  showing  the  cutaway  of  a motor- 

pump  USED  IN  THE  MlNUTEMAN  MlSSILE  APPLI- 
CATION. 

THE  PACKAGING  OF  COMPONENTS  MINIMIZES 
OR  ELIMINATES  SUCH  PROBLEMS  AS  EXTERNAL 
LEAKAGE,  VARYING  EFFECTS  OF  GRAVITY  IN 
WIDELY  SPACED  COMPONENTS,  AND  OTHER  PROBLEMS 

The  Figure  3 packaging  contains  an  electric 

MOTOR,  HYDRAULIC  PUMP,  RESERVOIR,  HYDRAULIC 
FILTER,  CHECK  VALVE,  PRESSURE  TRANSDUCER, 
PRESSURE  SWITCH,  FILL  AND  BLEED  DISCONNECTS. 


401 


For  minimizing  temperature  effects  in 

MANY  HYDRAULIC  SYSTEM  COMPONENTS  USED  IN 
OUTER  S'-ACE,  STAINLESS  STEEL  "O1'  RINGS  ARE 
USED  IN  PLACE  OF  SEALS  MADE  FROM  ELASTOMERIC 
MATERIAL,  In  THE  CASE  OF  THE  ELECTRIC 
DRIVE  MOTOR,  A THERMISTOR  IS  IMBEDDED  IN 
THE  MOTOR  FIELD  COIL  TO  MEASURE  CRITICAL 
OPERATING  TEMPERATURES  OF  THE  MOTOR  AND 
PREVENT  INADVERTENT  OVERHEATING  DURING 
OPERATION.  THE  THERMISTOR  CAN  BE  USED  IN 
AN  ELECTRICAL  BRIDGE  CIRCUIT  TO  AUTOMATI- 
CALLY CUT  OR  REDUCE  POWER  IN  THE  EVENT  THAT 
OVERHEATING  OCCURS# 

For  minimization  of  the  effects  of  low 

AMBIENT  PRESSURES  AND  WEIGHTLESSNESS,  THE 

integrated  hydraulic  system  package  is 

THE  MOST  EFFECTIVE  MEANS  IN  REDUCING  THESE 
EFFECTS.  AS  IN  THE  CASE  OF  THE  MOTORPUMP 

shown  in  Figure  3,  a sealed  steel  bellows 
"bootstrap”  type  RESERVOIR  IS  USED  FOR 
PRESSURIZING  THE  INLET  SIDE  OF  THE  SYSTEM. 

The  "bootstrap11  type  reservoir  uses  high 

SYSTEM  PRESSURE  ON  A DIFFERENTIAL  AREA  TO 
PRESSURIZE  THE  LOW  PRESSURE  PART  OF  THE 
SYSTEM. 

Space  Reliability  Of  Hydraulic  Controls 

As  A RESULT  OF  THE  COMBINED  ENVIRON- 
MENTAL OPERATING  CONDITIONS  AND  THE  RESULT- 
ANT EXPENDITURES  OF  MILLIONS  OF  DOLLARS 
FOR  DEVELOPMENT  OF  THESE  SPACE  VEHICLES 
AND  THEIR  COMPONENTS,  EXTREME  EMPHASIS 
HAS  BEEN  PLACED  DURING  THE  PAST  FEW  YEARS 
ON  IN-FLIGHT  RELIABILITY.  THIS  IMPORTANCE 
IS  FURTHER  EMPHASIZED  WITH  THE  CARRYING  OF 
MAN  INTO  SPACE*  THIS  HAS  RESULTED  IN  NEW 
CONTROLS  AND  NEW  TECHNIQUES  BEING  APPLIED 
TO  OBTAIN  THE  DESIRED  RELIABILITY.  SOME  OF 
THE  SPECIAL  PROCEDURES  FOR  THE  HYDRAULIC 
COMPONENTS  USED  IN  SUCH  VEHICLES  AS  THE 

Minuteman,  Polaris,  Atlas,  and  Skybolt 
Missiles  are  briefly  summarized. 

Minuteman  Auxiliary  Power  System 

The  auxiliary  power  system  shown  in 
Figure  3 is  used  in  the  control  system  of 
the  Minuteman  Missile.  The  first  stage 

COMPONENT  HAS  A VARIABLE  DISPLACEMENT  PUMP 
THAT  PRODUCES  3*7  GALLONS  PER  MINUTE  AT 
12,000  RPM  PUMP  SPEED,  Al  3000  PS  I , THIS 
IS  6-1/2  HORSEPOWER.  SIMILAR  UNITS  OF 
SMALLER  CAPACITY  ARE  USED  IN  THE  SECOND 
AND  THIRD  STAGES  OF  THE  MlNUTEMAN  VEHICLE, 
WHICH  IS  SHOWN  IN  FIGURE  k. 

The  equipment  on  this  program  has  a 
RELIABILITY  REQUIREMENT  OF  0.9998  FOR  A 
FLIGHT  DUTY  CYCLE*  PREVIOUSLY,  IN  THE 
NORMAL  LONG  LIFE  UNITS  THE  TEST  DATA 
REQUIRED  TO  SUBSTANTIATE  RELIABILITY 
FIGURES  WERE  OFTEN  OF  AN  EXTREMELY  PROHIB- 
ITIVE NATURE  IN  RESPECT  TO  BOTH  MONEY  AND 

time.  However,  with  many  of  the  more 

RECENT  MISSILE  APPLICATIONS  IN  WHICH  A 
SHORT  LIFE  TIME  IS  SPECIFIED,  SUCH  AS  OF 


100  to  200  hour  Mean  Time  Between  Failures, 

ACTUAL  TESTING  PROGRAMS  TO  INDICATE  RELIA- 
BILITY ARE  NOW  WITHIN  THE  SCOPE  OF  AVAILABLE 
MONEY, 

TO  PERMIT  THE  AS  C E R T A T I ON  OF  THIS  DATA 
WITHIN  A REASONABLE  TIME  PERIOD  AND  AT  A 
REASONABLE  COST,  CONFIDENCE  FACTORS  IN 
THE  NEIGHBORHOOD  OF  60  PERCENT  TO  70  PERCENT 
ARE  NOW  USED  INSTEAD  OF  THE  PREVIOUSLY 
DICTATED  90  PERCENT  OR  HIGHER. 

Reliability  Management  Control 

The  Minuteman  auxiliary  power  system 

RELIABILITY  PROGRAM  CONSISTS  OF  A VERY 
SPECIALIZED  ADVANCED  RELIABILITY  CONCEPT, 

ONE  OF  THE  ITEMS  ON  THIS  PROGRAM  THAT  HAS 
BEEN  GIVEN  INTENSIVE  ATTENTION  IS  THE  VERY 
EXTENSIVE  MANAGEMENT  CONTROL  IN  RESPECT 
TO  RELIABILITY*  THIS  HAS  INCLUDED  ALL 
PHASES  OF  MANAGEMENT  INCLUDING  THAT  OF 
MANUFACTURING,  ENG  I NEER [ NG , PURCHASING, 

AND  SERV  ICE. 

One  of  the  top  factors  of  this  phase 

OF  THE  PROGRAM  IS  AN  EXCELLENT  DATA  AND 
INFORMATION  VISIBILITY  CONDITION  FOR  TOP 
MANAGEMENT  TO  WHERE  THEY  CONTINUOUSLY 
HAVE  THE  UPDATED  INFORMATION  ON  THE  PROGRAM 
WITHOUT  HAVING  TO  GO  THROUGH  TWO  OR  THREE 
LOWER  ECHELONS  TO  OBTAIN  THIS  MATERIAL* 

This  has  brought  about  the  extensive 
use  of  the  Program  Evaluation  and  Review 
Technique  (PERT)  concept  and  with  even  a 

TAILORING  OF  THIS  CONCEPT  FOR  THE  SPECIFIC 
A PPL ICAT 1 ON. 

Figure  5 shows  a condensed  version  of 

THE  PERT  NETWORK  USED  ON  THIS  PROGRAM, 

AS  MANY  OF  YOU  ARE  ACQUAINTED,  THE  ORIGINAL 
PERT  J Program  was  event  orientated  and 

CONCERNED  ITSELF  ALMOST  SOLELY  WITH 
SCHEDUL I NG , 

The  program  used  here,  which  is  a 
MODIFICATION  OF  PERT  TT,  1 S ACTIVITY 
ORIENTATED  AND  NOT  ONLY  GIVES  MAJOR  CON- 
CERN FOR  SCHEDULING  BUT  ALSO  PROVIDES  FOR 
FINANCIAL  CONTROL  AND  ANALYSIS  BY  MANAGE- 
MENT* With  it  being  activity  orientated, 
MORE  DETAILED  PERT  CHARTS  SHOW  A VERY 
FINE  ACTIVITY  SCHEDULING  OF  THINGS  THAT 
HAVE  TO  BE  DONE*  WITH  THIS  METHOD  IT  IS 
VERY  DIFFICULT  TO  OMIT  SOMETHING  UNINTEN- 
TIONALLY DURING  THE  PROGRAM,  THIS  AND 
OTHER  PERT  NETWORKS  ARE  WORKING  TOOLS  TO 
PREPARE  ADDITIONAL  INFORMATION  FOR  MANAGE- 
MENT REVIEW, 

One  of  the  strong  points  of  this  program 

HAS  BEEN  VERY  HEAVY  EXCELLENT  DOCUMENTATION 
FOR  EVERY  SUB-PHASE  OF  THIS  PROGRAM.  THIS 
PERMITS  A CONTINUOUS  MONITORING  ON  A DAILY 
AND  WEEKLY  BASIS  AND  ELIMINATES  PAST 
DIFFICULTIES  OF  HAVING  TO  GO  BACK  THROUGH 
HISTORY  AND  DOCUMENT  THE  PROGRAM  FROM  AN 
AFTER-THE-FACT  ACTIVITY. 


This  tv pe  of  action  then  makes  possible 

CORRECTION  ACTION  BY  MANAGEMENT  ON  A 
BEFORE-THE-FACT  BASIS  RATHER  THAN  ON  AN 
AFTER-THE-FACT  BASIS,  THIS  IS  ONE  OF  THE 
STRONGEST  POINTS  OF  THIS  PHASE  OF  THE 
RELIABILITY  PROGRAM*  THIS  PART  OF  THE 
PROGRAM  HAS  PROVED  EXTREMELY  VALUABLE  WHEN 
A MULTI- PLANT  MANUFACTURING  ACTIVITY  IS 
INVOLVED  TOGETHER  WITH  MANY  VENDORS, 

Under  the  previous  conventional  methods, 

INFORMATION  REPORTING  BETWEEN  PLANTS  AND 
VENDORS  OFTEN  LAGGED  BY  SEVERAL  WEEKS  Oft 
SEVERAL  MONTHS, 

TRA I N I NG 

A SECOND  MAJOR  AREA  IN  THE  WlNUTEMAN 
APU  RELIABILITY  PROGRAM  HAS  BEEN  A VERY 
COMPREHENSIVE  TRAINING  ACTIVITY,  THIS 
TRAINING  ACTIVITY  HAS  BEEN  VERY  EXTENSIVE 
TO  COVER  TOP  MANAGEMENT  DOWN  THROUGH  ALL 
ELEMENTS  OF  SUPERVISION  TO  THE  ACTUAL 
WORKER  ON  THE  JOB* 

One  ASPECT  OF  THE  TRAINING  PROGRAM 
UTILIZES  MOTIVATION  TRAINING  DESCRIBING 
TO  EACH  LEVEL  THEIR  PART  IN  THE  RELIABILITY 
TEAM  EFFORT.  THIS  HAS  BEEN  APPROACHED 
FROM  A WEAPONS  SYSTEMS  STANDPOINT.  THE 
SECOND  PHASE  OF  THE  TRAINING  APPROACH  HAS 
BEEN  THROUGH  ON-THE-JOB  TRAINING;  WHICH 
NOT  ONLY  FAMILIARIZES  EACH  EMPLOYEE  IN- 
VOLVED WITH  THEIR  SPECIFIC  DUTIES,  BUT 
ENSURES  FROM  A MANAGEMENT  VISIBILITY 
STANDPOINT  THE  ADEQUACY  OF  SKILLS  AND 
NECESSARY  PROCEDURAL  INSTRUCTIONS  SO  THAT 
THE  PRODUCT  CAN  BE  PRODUCED  IN  A CONTROLLED 
AND  FUNCTIONAL  MANNER. 

The  training  sessions  have  included 

MOVIE  MATERIAL  SUPPLIED  BY  BOTH  THE  PRIME 
CONTRACTOR  AS  WELL  AS  GOVERNMENT  SOURCES 
AND  ACTUAL  CLASSROOM  INSTRUCTION  WORK. 

One  of  the  focal  points  of  the  training 

PROGRAM  IS  THE  REQUIREMENT  THAT  ALL  PER- 
SONNEL IN  THE  MAJOR  MANUFACTURING  AREAS 
WORKING  ON  THE  WlNUTEMAN  PROGRAM  ARE 
CERTIFIED.  This  CERTIFICATION  COMES  ABOUT 
ONLY  AFTER  THE  INTENSIVE  TRAINING  PROGRAM 
AND  UPON  THE  COMPLETION  OF  PASSING  A 
WRITTEN  TEST  IN  RESPECT  TO  THIS  PROGRAM, 

Reliability  Through  Serialization 

Another  major  phase  of  this  reliability 

IS  THE  SERIALIZATION  PROGRAM.  THIS  PRO- 
GRAM INVOLVES  THE  DETAILED  DOCUMENTATION 
OF  ALL  MAJOR  DIMENSIONS  AND  METALLURGICAL 
CHARACTERISTICS  OF  EACH  MAJOR  PART  AND 
SUB -ASSEMBLY  OF  THE  APU* 

This  detail  includes  metallurgical  melt 

INFORMATION  ON  BEARING  BALLS,  COMPLETE 
DOCUMENTATION  ON  HEAT  TREAT  CONDITIONS  OF 
VARIOUS  PARTS,  AS  WELL  AS  THE  NORMAL  DIMEN- 
SIONAL AND  HARDNESS  INFORMATION. 


With  the  serialization  data,  a "baby 

BOOK11  IS  COMPILED  ON  EACH  APU  HAVING  THE 
TOTAL  INFORMATION  PREVIOUSLY  OUTLINED.  In 
THIS  BOOK  IS  ALSO  THE  PRODUCTION  PERFORMANCE 
DATA. 

Product  Homogene i t y 

With  the  centralizing  of  this  total 
information  on  each  specific  component, 
many  reliability  studies  can  then  be  made 

WITH  THIS  MATERIAL.  ONE  OF  THE  MAJOR 
STUDIES  DONE  WITH  THIS  MATERIAL  IS  PRODUCT 
HOMOGENEITY.  IN  THIS  PROGRAM,  STUDIES  ARE 
MADE  TO  DETERMINE  THE  PATTERN  OF  DIMENSIONS 
PRODUCED  BY  THE  MACHINING  PROCESS. 

This  system  makes  possible  the  actual 

LOCATION  OF  THE  MOST  IMPORTANT  DIMENSIONAL 
AND  PHYSICAL  CHARACTERISTICS  IN  EVERY  APU. 

The  benefit  from  this  knowledge  makes  most 

EFFICIENT  ANY  NECESSARY  RETROFIT  INVOLVING 
A MINOR  MODIFICATION  OF  DIMENSIONAL  OR 
ME  T ALLURG ICAL  CHARACTERISTICS. 

By  PREVIOUS  METHOD,  IF  A DECISION  WAS 
MADE  TO  FIELD  RETROFIT  UNITS  WITH  A 
DIFFERENT  PART  AS  A RESULT  OF  A DIMENSIONAL 
CHANGE,  IT  WAS  NECESSARY  TO  DISASSEMBLE 
AND  INSPECT  ALL  UNITS  TO  PICK  OUT  THE 
SPECIFIC  REQUIRED  UNITS  REQUIRING  RETROFIT, 

With  this  program  units  can  be  immediately 

IDENTIFIED  BY  SERIAL  NUMBER  FOR  FIELD 
RETROFIT* 

Analysis  Product  Un i formi ty 

With  this  serialization  information 

THE  ANALYSIS  OF  CAUSE  AND  EFFECT  THAT 
EXISTS  BETWEEN  DIMENSIONS  AND  CHARACTER- 
ISTICS AND  THE  PERFORMANCE  OF  THE  APU  CAN 
BE  ASCERTAINED  BY  CORRELATION  ANALYSIS. 

A RELATIVELY  NEW  APPROACH  TO  THIS  CONCEPT 
IS  BEING  UTILIZED  WITH  THE  USE  OF  EDGE 
CODED  CARD  MULTI-FACTOR  ANALYSIS. 

In  essence,  this  analytical  technique 
records  characteristic  and  dimensional 

data  IN  THE  FORM  OF  NOTCHES  ON  THE  PERIPHERY 
OF  A RECORD  CARD,  AS  SHOWN  IN  Pi  CURE  6, 

WHILE  THE  PERFORMANCE  OUTPUT  IS  RECORDED 
ON  THE  FACE  OF  THE  CARD,  STACKING  OF  THE 
PERTINENT  CARDS  IN  ASCENDING  ORDER  OF  A 
GIVEN  PERFORMANCE  PARAMETER  AND  ANALYZING 
THE  PATTERN  OF  NOTCHES  THAT  RESULT  WHEN 
VIEWING  THE  EDGE  OF  THE  STACKED  DECK 
PERMITS  RAPID  IDENTIFICATION  OF  SIGNIFI- 
CANT DORR EL AT  ION  BETWEEN  CHARACTERISTICS 
AND  PERFORMANCE.  THESE  IDENTIFIED 
CHARACTERISTICS  CAN  THEN  BE  A TOPIC  OF 
A DETAILED  STUDY. 

Des  ign  Rev i ews 

In  addition  to  the  specialized  relia- 
bility PHASES  OUTLINED  ABOVE,  THE  NORMAL 
STANDARD  RELIABILITY  PROGRAMS  ARE  ALSO 

used.  These  include  such  items  as  detailed 

DESIGN  REVIEWS,  AS  OUTLINED  IN  FIGURE  7* 


There  are  actually  three  separate  design 
reviews;  the  first  being  within  the  engi- 
neering SECTION  WITH  a COMPREHENSIVE 
REVIEW  BEING  MADE  BY  BOTH  THE  GROUP 

Supervisor  and  the  Section  Head*  As 

OUTLINED  IN  FIGURE  7*  IN  THIS  PHASE  OF 
THE  DESIGN  REVIEW  THERE  ARE  AT  LEAST  SEVEN 
RELIABILITY  CHECK  POINTS. 

A SECOND  DESIGN  REVIEW  IS  MADE  SY  A 
DESIGN  REVIEW  SPECIALIST  THAT  REPORTS  ONLY 

to  the  Chief  Engineer.  Prior  to  the 

RELEASE  OF  THE  DESIGN,  THIS  SPECIALIST  IS 
REQUIRED  TO  SIGN  OFF  THE  PROJECT  AS  BEING 
SATISFACTORY  FROM  A DESIGN  AND  RELIABILITY 
STANDPOi NT* 

A THIRD  REVIEW  IS  MADE  BY  AN  I MPA  R T I AL 
DESIGN  REVIEW  COMMITTEE  MADE  UP  OF  NOT 
ONLY  PROJECT  ENGINEERING  PERSONNEL,  BUT  ALSO 
REPRESENTATION  FROM  PURCHASING,  MANUFAC- 
TURING, QUALITY  AND  STANDARDS. 

Other  standard  reliability  phases  include 

FAILURE  MODE  ANALYSIS  AND  A P PO R T I 0 NME N T . 

In  this  latter  work  the  breakdown  of  the 

RELIABILITY  REQUIREMENT  IS  MADE  FOR  SPECI- 
FIC SUB-ASSEMBLIES  AND  SPECIFIC  PARTS. 

Also  determined  in  these  other  phases  is 

the  ESTABLISHMENT  OF  A VENDOR  SUPPLY  RELIA- 
BILITY PROGRAM  and  a MONITORING  OF  SUCH, 

Polaris  Missile  Motorpump 

A SECOND  MISSILE  HYDRAULIC  UNIT  THAT  IS 
RECEIVING  CONSIDERABLE  RELIABILITY  ATTEN- 
TION is  the  AA-19566  motorpump,  which  is 
USED  IN  THE  FLIGHT  CONTROL  SYSTEMS  OF  THE 

Polaris  Missile,  which  is  shown  in  Figure 
8*  This  electric  motor  driven  pump  is  a 

VARIABLE  DISPLACEMENT  PUMP  PRODUCING 
APPROX  I MATEL Y 1 GALLON  PER  MINUTE  FLOW  AT 
11,400  RPM,  AND  AT  3000  PS » PRESSURE* 

This  unit,  as  shown  in  Figure  9»  is  driven 

BY  DIRECT  CURRENT  ELECTRIC  MOTOR.  As 
INDICATED  IN  FIGURE  9*  THE  UNIT  IS  PAR- 
TIALLY ENCLOSED  IN  A SILICONE  RUBBER  IN- 
SULATION BLANKET  BONDED  TO  IT  FOR  HEAT 
BARR  I ER  PROPER? I ES . 

This  insulation  is  left  in  the  uncured 

STATE,  AND  CURES  AS  IT  AGES*  THE  RUBBER 
WILL  WITHSTAND  APPROXIMATELY  600°F  TO 
1000°F  TEMPERATURES.  ONE  UNIT  IS  KNOWN 
TO  HAVE  RECEIVED  THE  DIRECT  BLAST  OF  THE 
NOZZLE, AND  SAW  TEMPERATURES  OVER  2QOG°F, 

AND  STILL  OPERATED. 

This  motorpump  development  and  manu- 
facturing PROGRAM  USES  MANY  OF  THE  TECHNI- 
QUES DESCRIBED  PREVIOUSLY  FOR  THE  PREVIOUS 
APS  PROGRAM. 

One  of  the  parts  of  the  Polaris  relia- 
bility PROGRAM  HAS  BEEN  A WEAPON  SYSTEM 
COST  EFFECT  I VENESS  PHILOSOPHY,  THIS 
PROGRAM  CONCENTRATES  THE  RELIABILITY 
DOLLARS  IN  THOSE  AREAS  WHICH  COULD  YIELD 


THE  HIGHEST  RATIO  OF  RELIABILITY  IMPROVEMENT 
PER  DOLLAR  SPENT.  TYPICAL  OF  THIS  PART  OF 
THE  PROGRAM  IS  THE  USE  OF  A VISUAL  PATCH 
STANDARD  IN  DETERMINING  THE  EARLY  TEST 
PHASE  CLEANLINESS  LEVEL  OF  THE  COMPONENTS. 

The  visual  patch  standard  follows  the 
Society  of  Automotive  Engineers  ARP-57? 

DOCUMENT  WITH  CERTAIN  MODIFICATIONS,  THIS 
METHOD  COLLECTS  ALL  OF  THE  CONTAMINATION 
IN  HYDRAULIC  FILTERS  AFTER  A CERTAIN  RUNNING 
PERIOD,  AND  THEN  HAS  THE  CONTAMINATION  PUT 
ON  A FILTER  PAPER.  THE  FILTER  PAPER  THEN 
HOLDS  THE  TOTAL  CONTAMINATION  TAKEN  FROM 
A SYSTEM  OVER  A SPECIFIC  TIME  PERIOD,  SUCK 
AS  A ONE-HALF  HOUR  TEST.  The  FILTER  PAPER 
SAMPLE  IS  THEN  COMPARED  VISUALLY  TO  A 
STANDARD  SAMPLE.  A TYPICAL  PATCH  STANDARD 

is  shown  in  Figure  10.  The  amount  of 

CONTAMINANT  COLLECTED  IS  DETERMINED  BY 
VISUAL  INSPECTION  AS  TO  LIGHT  COLOR 
DIFFERENCES  AS  WELL  AS  INSPECTION  FOR 
INDIVIDUAL  PARTICLES.  WlTH  THIS  METHOD 
A SYSTEM  CONTAMINATION  DETERMINATION  CAN 
USUALLY  BE  MADE  WITHIN  ONE-QUARTER  TO 
ONE-HALF  HOUR. 

|T  IS  ONLY  DURING  THE  FINAL  TEST  PHASES 

That  the  more  expensive  particle  count  is 

USED  IN  DETERMINING  FINAL  UNIT  CLEANLINESS 

level.  This  method  uses  the  SAE  ARP  59^ 

PROCEDURE,  WHICH  TAKES  A SMALL  SAMPLE  OF 
HYDRAULIC  FLUID  FROM  A 'SYSTEM,  THIS  FLUID 
IS  THEN  FILTERED  THROUGH  A VERY  FINE 
MiLLIPORE  FILTER  MEMBRANE  AND  THE  NUMBER 
OF  INDIVIDUAL  PARTICLES  ARE  THEN  COUNTED 
WITH  A MICROSCOPE  AND  CLASSIFIED  AS  TO 
SIZE  AND  OCCASIONALLY  TYPE*  THIS  TYPE  OF 
PROCEDURE  USUALLY  TAKES  SEVERAL  HOURS* 

Much  of  the  final  assembly  and  test  work 

OF  MISSILE  UNITS  OF  THIS  TYPE  THAT  REQUIRE 
A VERY  HIGH  DEGREE  OF  CLEANLINESS  IS  DONE 
IN  A CLEAN  TYPE  ROOM,  AS  SHOWN  IN  FIGURE 
11  * 

Reliability  controls  for  the  operation 

OF  THIS  TYPE  OF  ROOM  ARE  VERY  STRICT  AND 
REQUIRE  ONLY  CERTIFIED  PERSONNEL  THAT  ARE 
FAMILIAR  WITH  CLEAN  ROOM  OPERATION  TO  WORK 
IN  THIS  AREA,  THIS  ROOM  IS  TYPICAL,  IN 
WHICH  AT  LEAST  TWO  ANTI-ROOMS  ARE  USED; 

ONE  FOR  DRESSING,  AND  THE  SECOND  FOR 
VACUUMING  AND  CLEANING  OF  PERSONNEL  AS 
THEY  GO  INTO  THE  MAIN  CLEAN  ROOM  AREA. 

This  PARTICULAR  ROOM  IS  COMPLETELY  VACUUMED 
INCLUDING  WALLS,  CEILING,  FLOORS,  AND  SO 
FORTH,  EACH  DAY. 

This  motorpump  reliability  program 

CONSISTS,  AT  THE  PRESENT  TIME,  OF  A MANU- 
FACTURING CONCENTRATION  OF  RELIABILITY 
AND  ANALYTICAL  APPROACH  TO  MEETING  THE 
CONTRACTUALLY  REQUIRED  QUANTITATIVE  RELIA- 
BILITY measure.  This  takes  form  in  the 

UTILIZATION  OF  A QUALITY  ANALYSIS  FUNCTION 
DIRECTED  TOWARD  ASCERTAINMENT  OF  MARGINAL 
AND  SUB-MARGINAL  PRODUCT.  THIS  APPROACH 
UTILIZES  THE  AVAILABLE  STATE-OF-THE  ART 


TECHNIQUES  OF  RELIABILITY  ANALYSIS*  AS 

WELL  AS  MANY  STATISTICAL  TOOLS. 


Skybolt  Hot  Gas  APU 


Atlas  Control  Pumps 

The  variable  displacement  pumps  used 
in  the  Atlas  Missile*  Figure  12*  program 

ALSO  RECEIVES  MANY  RELIABILITY  AND  CLEAN- 
LINESS TEST  PHASES  AS  PREVIOUSLY  DE  SCR  I BED. 

Forking  in  conjunction  with  the  missile 

AIRFRAME  MANUFACTURER  CONSIDERABLE  DEVELOP- 
MENT WORK  WAS  CONDUCTED  AS  EARLY  AS  1956 
AND  1957  IN.  PARTICLE  COUNTING  TECHNIQUES 
FOR  CONTAMINATION  CONTROL  OF  MISSILE  SYSTEM 
COMPONENTS*  THIS  WORK  ACTUALLY  PRECEDED 
THE  PRESENT  PARTICLE  COUNT  STANDARD  ARP 
598  BY  THREE  YEARS.  MANY  OF  THE  TECHNIQUES 
INITIALLY  DEVISED  FOR  THIS  PROGRAM  LATER 
BECAME  A PART  OF  THIS  CLEANLINESS  STANDARD. 

Many  unique  techniques  for  control 

SYSTEM  COMPONENTS  WERE  USED  TO  OBTAIN  THE 
RIGID  CLEANLINESS  REQU I REME NT S ♦ THESE 
INCLUDED  NOT  ONLY  THE  ULTRA-SON  I C CLEAN- 
ING OF  THE  COMPONENTS  OF  THE  CONTROL  PUMP* 
BUT  ALSO  INCLUDED  ULTRA-SONIC  CLEANING  OF 
THE  COMPLETELY  ASSEMBLED  PUMP  AND  MECHANI- 
CAL SHAKING  OF  COMPLETELY  ASSEMBLED  PUMPS 
ON  A PRODUCTION  BASIS. 

This  probably  was  the  initial  phase 

AND  DEVELOPMENT  ACTIVITY  OF  STRICT  CON- 
TAMINATION CONTROL  OF  MISSILE  SYSTEM 
HYDRAULIC  COMPONENTS  IN  THIS  COUNTRY.  As 
A RESULT  OF  THESE  UNUSUAL  CLEANLINESS 
TECHNIQUES  DEVELOPED*  THE  COMPONENT  CLEAN- 
LINESS LEVEL  COULD  THEN  BE  CONFIRMED  BY 
THE  MISSILE  MANUFACTURER  UPON  RECEIVING 
THE  COMPONENT*  AS  WELL  AS  IT  BEING  DETER- 
MINED AND  MAINTAINED  DURING  A NUMBER  OF 
MISSILE  SYSTEM  CHECK-OUTS. 

In  addition  to  the  normal  engineering 

QUALIFICATION  AND  RELIABILITY  MONITORING 
TESTS,  SEARCH  FOR  CRITICAL  WEAKNESS  TESTS 
ARE  CONDUCTED  ON  THESE  CONTROL  PUMPS  UNDER 
OPERATING  CONDITIONS  THAT  OFTEN  EXCEED  THE 
PREVIOUS  ENGINEERING  QUALIFICATION  PHASES 
BY  A FACTOR  OF  TWO. 

The  RELIABILITY  FOR  THE  CONTROLS  OF 
THIS  MISSILE  HAVE  RECEIVED  ADDITIONAL 
INPUTS  AS  A RESULT  OF  THE  MERCURY  SPACE 

flights.  All  of  the  Mercury  missile 

COMPONENTS*  INCLUDING  THE  CONTROL  PUMPS, 

ARE  GIVEN  SPECIAL  GROUPS  OF  INSPECTIONS 
AND  TESTS  IN  ADDITION  TO  THOSE  RECEIVED 
IN  THE  NORMAL  ATLAS  PROGRAM « THESE 
INCLUDE  NOT  ONLY  ADDITIONAL  DIMENSIONAL 
AND  METALLURGICAL  INSPECTIONS*  BUT  INCLUDE 
A LARGE  NUMBER  OF  FUNCTIONAL  TESTS.  THERE 
IS  A MAJOR  RELIABILITY  REVIEW  AND  ANALYSIS 
OF  THE  HYDRAULIC  COMPONENTS  BY  SERIAL 
NUMBER*  WHICH  IS  MAINTAINED  THROUGHOUT 
THE  LIFE  OF  THE  UNIT  IN  THE  MERCURY 
PROGRAM. 


AS  AN  EXTENSION  OF  HYDRAULIC  CONTROLS 
FOR  SPACE  VEHICLES*  STUDY  AND  DEVELOPMENT 
OF  HOT  GAS  SERVO  AND  ACTUATING  SYSTEMS  HAS 
BEEN  UNDERWAY  AT  VlCKERS  FOR  THE  PAST 
APPROXIMATE  SIX  YEARS. 

These  hot  gases  are  used  to  drive  a gas 

MOTOR  SIMILAR  TO  A HYDRAULIC  MOTOR*  WHICH 
THEN  DIRECTLY  DRIVES  A HYDRAULIC  PUM^* 

THUS  PROVIDING  HYDRAULIC  F L I G HT  CONTROL 
POWER. 

These  hot  gases  are  obtained  by  a number 

OF  MEANS  SUCH  AS  EITHER  BLEEDING  OFF  THE 
MAIN  ROCKET  ENGINE  OR  USING  A SOLID  PRO- 
PELLANT GAS  GENERATOR.  |T  IS  THIS  LATTER 
CASE  THAT  IS  USED  IN  THE  SKYBOLT  SYSTEM, 

AS  INDICATED  IN  THE  CIRCUIT  DRAWING  IN 

Figure  13.  As  indicated*  a solid  propellant 

IS  IGNITED  PRODUCING  HOT  GAS  WHICH  MOTORIZES 
THE  PISTON  MOTOR*  WHICH  THEN  MECHANICALLY 
DRIVES  THE  HYDRAULIC  PUMP. 

Figure  14  shows  a cutaway  of  the  hot 

GAS  MOTORPUMP.  As  INDICATED*  THIS  IS  AN 
INTEGRATED  PACKAGE,  WITH  THE  GAS  SECTION 
ON  THE  RIGHT.  THIS  PARTICULAR  DEVICE  WILL 
PRODUCE  A 12  GALLON  PER  MINUTE  FLOW  FOR 
AN  INITIAL  PEAK  PERIOD  AND  THEN  BE  REDUCED 
TO  APPROXIMATELY  HALF  OF  THIS  FIGURE  FOR 
THE  REMAINDER  OF  THE  RUN  AT  3000  PS  I 
HYDRAULIC  PRESSURE.  THE  TOTAL  OPERATING 
TIME  IS  SOMETHING  LESS  THAN  2 MINUTES  FOR 

this  APU  in  this  Skybolt  application* 

WHICH  IS  SHOWN  IN  FIGURE  15* 

With  the  aspect  of  combining  hot  gas 

CONTROLS  WITH  THE  MORE  STANDARD  HYDRAULIC 
CONTROLS  AND  THE  MORE  LIMITED  LIFE  ASPECT, 
ADDITIONAL  CHANGES  IN  THE  STANDARD  RELIA- 
BILITY PROGRAM  ARE  MADE  TOOBTAIN  THE 
GREATEST  BENEFIT  FROM  THE  EXPENDITURE. 

While  we  can  draw  upon  twenty-five 

YEARS  EXPERIENCE  FOR  RELIABILITY  STUDIES 
IN  THE  HYDRAULIC  SECTION  OF  THIS  APU*  IN 
THE  GAS  SECTION  RELIABILITY  ANALYSIS 
FAILURE  IS  DONE  ON  A DIFFERENT  BASIS. 

With  a unit  of  this  type*  as  shown  in 
Figure  16,  which  shows  the  disassembled 
VIEW*  GAS  TEMPERATURES  UP  TO  2000° F ARE 
USED  THROUGH  THE  BURNING  OF  THE  AMMONIUM 
NITRATE  PROPELLANT.  In  A RELIABILITY 
PROGRAM  OF  THIS  TYPE  EXTREME  ATTENTION 
IS  GIVEN  TO  THE  SELECTION  OF  HIGH  TEMP- 
ERATURE MATER  I ALS. 

Summary  and  Conclusion 
Studies  and  developments  of  space 

VEHICLE  CONTROL  SYSTEMS  DURING  THE  PAST 
FEW  YEARS  HAVE  INDICATED  THAT  RELIABILITY 
OF  THESE  SYSTEMS  MUST  FIRST  BE  DESIGNED 
INTO  THE  EQUIPMENT*  AND  THEN  THROUGH  CON- 
TINUED MONITORING  BE  BUILT  INTO  THE  EQUIP- 
MENT. 


ko$ 


In  SUMMARY,  I WISH  TO  say  that  relia- 
bility STUDIES  COULD  AND  SHOULD  BE  BASED 
UPON  AS  MUCH  PAST  EXPERIENCE  AS  POSSIBLE* 

BUT  IN  OUR  RAPIDLY  CHANGING  SPACE  TECHNOLOGY 
THIS  IS  ALWAYS  THE  FIRST  STEP  ONLY,  AND 
IT  IS  NECESSARY  TO  TAILOR  RELIABILITY 
STUDIES  AND  ACTIVITIES  FOR  EACH  NEW  CON- 
CEPT AS  IT  IS  DEVELOPED, 

I believe  America's  space  exploration 

DURING  THE  PAST  TWO  YEARS  HAVE  INDICATED 
THAT  THESE  SPACE  VEHICLES  AND  THEIR  CONTROL 
SYSTEMS  HAVE  BEEN  DEVELOPED  WITH  RELIABIL- 
ITY BEING  ONE  OF  THE  FOREMOST  FACTORS. 


Ifi 

Q 

w 

% 

H 

s 

M 

H 

v> 

>* 

t/3 

W 

U 

Ok 

co 

os 

o 

[in 

m 

os 

< 

>« 


AjBj9UB|d  *JS1ut 
PUB  JEUf^SlJUJX 

M 


CO 

S5 

o 


Q 

£ 

O 

O 

P 

<3 

H 

H 

5 

!5 

O 

OS 

l-H 

> 

£ 

w 

M 

o 

c 

ft 

co 

ft 

O 

>* 

OS 

< 


p 

m 


LU 

cr 

ID 

CD 


407 


’.il  . 

MINUTEMAN  MISSILE 


FIGURE  h 

4io 


MODIFIED  PERT  CHART 


FLOW  CHART  FOR  DESIGN  PROJECT  WITH  RELIABILITY  PHASES 


413 


DESIGN  REVIEW  CHART 


u 


POLARIS  MISSILE 
FIGURE  8 


4l4 


1+15 


POLARIS  MISSILE  MOTORPUMP 


1009 -A ENGINEERING  PATCH  STANDARD 


<c 


CO 

X 

> 


OJ 


CD  I 
O < 
s <c 


o 

CD 

UJ 

CO 


CO 

QC 


CO 

< 

0 

_J 

X 

UJ 

0 

CD 

0Q 

h- 

Ul  • 

<c 

co  CO 

CL 

3 UJ 

32 

5-J 

O 

1 

UJ  CL 

X 

< 

00  5 

CO 

< 

— 

0 CO 

CO 

Li_ 

E— 

<c 

X 

CO  0 

Ul 

— E— 

00 

UJ  CL 

CD 

fSl 

_J 

— O 

X 

CO  ^ 

0 

— 

X 

UJ  co 

CO 

_J  co 
0 <c 

CO 

— CL 

UJ 

1 — 

X cc 

a! 

c 0 

5 

CL  U_ 

<c 

CO 

Ll  QC 
O O 

X 

_J 

0 

UJ  0 

E- 

0 0 

<c 

— 

X 

E—  UJ 
O CD 

E- 

X 

2 < 

UJ 

O 

0 

OC 

_J 

E— 

vO 

E—  UJ 

<C 

1 

O > 

— 

CL 

lev 

— <c 

T— 

oc 

_J 

E— 

1 

f-  <0 

-J 

CO 

pf 

CO  <c 

<c 

r- 

O 

QC 

CL 

X 

CO 

<C 

X 

UJ 

UJ 

-J 

0 

— 

CO 

CO 

CO 

• 

— 

X 

2 

• 

CD 

~D 

Ul 

UJ 

X 

0 

• • 

0 

>- 

— 1 

00 

Ul 


— X 

o 

UJ  h- 
CD 

<C  X 
CC 


00 


>* 

CO 


UJ  _J 

2:  <c 

— X 
2 CO 

x 

UJ  CD 


CD 

O 


<C 

x 

co 


UJ  CO  UJ 

co  CO  cc 

=>  UJ 
S CL- 
UJ — S 
CO  _J  ID 
^ X 
_J  c 
uj  cc 
_i  o 
o u_ 

CD  UJ 

co 

ODD 

_i  <c 

<C  U_  o 
CL 

CD  uj 

»-  ^ x 

UJ  <C  e- 
_J  h- 
^ CO  UJ 
— 00 
1— 

UJ  CO  h- 

I UJ  o 


0 

O 

0 

vO 

1 

vO 

1 

vO 

1 

0 

o> 

O 

T— 

C\J 

1 

j" 

1 

-± 

pj" 

CS 

1 

E- 

OJ 

on 

. 

1 

-2L 

—1 

<c 

UJ 

-J 

_J 

1 

— 

> 

— 

c 

>- 

4— 
/ — \ 

1 

<C 

0 

E- 

X 

X 

X 

X 

X 

i — 

CD 

X 

• 

<£ 

0 

CD 

UJ 

X 

X 

X 

1 

UJ 

_J 

UJ 

<c 

CO  • 

E— 

CO 

# 

=3  O 

3 

<c 

CO 

<c 

3 

0 

Z 

E- 

O 

0 

X 

UJ 

co  • 

X CL 

0 

Ll  1— 

> 

BY 

BY 

BY 

m 

CO 

H 

a 

HH 

P 

w 

p 

o 


55 

P 


«c  z O 


o 


P 

P 

<1 

« 

Q 

!* 

W 

K 

O 

Pm 

Q 

« 

<1 

Q 

55 

<J 

Eh 

co 

W 

o 

H 

<d 

ft 

« 

H 

Eh 

P 

l-H 

Pm 


uj 

cc 

=> 

0 

Ll 


4l6 


n 


ATLAS  MISSILE 
FIGURE  12 

4i8 


s 


Ph 

o 

<d 

HH 

Q 

H 

HH 

P 

B 

o 

<L> 

-4-> 

« 

CO 

I— 1 

m 

u 

CD 

& 

E-i 

2 

w 

f . 

H 

o 

CQ 

!h 

03 

5c 

CD 

03 

Ph 

<1 

CO 

o 

cti 

o 

H 

O 

W 

419 


FIGURE  13 


ft 

2 

ft 

ft 

ft 

O 

H 

O 

S 


C 

00 

I 


0 ft 

bfl  S 

1 & 

ctf  O 

Q 5 
a s 

3 a 

o 0 

® ^ 
CO  O 

w ft 

cc 

o 

t. 

O 


CO 

0 

Eh 

O 

w 


ft 

o 


J- 


& 

ft 


UJ 

cc 

=> 

C3 


t>  U. 


0 

H 

O 

ft 

CO 

1 

CO 

CO 

O 

ft 

O 


420 


SKYBOLT  MISSILE 
FIGURE  1 5 


k22 


motorpump 


RELIABILITY  IN  PROCUREMENT 
F-105  AIRCRAFT  ELECTRONIC  SYSTEMS 

Arthur  P.  Coietta 
Joseph  A*  Cravero 
Charles  W,  Russell 

Republic  Aviation  Corporation 
Farmingdale,  New  York 


The  space  effort  has  emphasized  the  import- 
ance of  having  reliable  equipment  by  highlight- 
ing the  cost  of  failure.  However,  there  is 
really  little  difference  between  the  cost  of  low 
reliability  in  a space  effort  and  the  cost  of 
low  reliability  in  an  operational  manned  weapon 
system.  The  intense  realization  of  this  cost  in 
a space  effort  is  due  to  the  concentration  of 
loss  in  one  dramatic  failure. 

Design  of  neitf  weapon  systems  now  includes 
reliability  orientation,  but  the  initial  design 
of  many  existing  weapon  systems  did  not  include 
reliability  orientation  as  we  think  of  it  today. 
The  requirement  for  a specific,  proven  reliabi- 
lity under  a specific  environment  was  not  gen- 
erally included  in  the  procurement  contracts  for 
high  volume  production. 

Studies  generated  to  suggest  means  of  im- 
proving the  reliability  of  existing  equipments 
have  shown  that  the  cost  is  very  high,  The  re- 
sult of  the  improvement  has  been  expressed  as 
benefits  which  include  reduction  in  maintenance 
requirements  and  improvement  in  probability  of 
completing  a mission;  but  it  is  questionable 
whether  the  benefits  have  ever  justified  the 
cost  of  improvement  in  terms  of  dollars  and 
cents,  the  terms  most  understood  by  the  manage- 
ment who  must  make  the  decision  to  expend  the 
required  funds. 

This  paper  describes  a technique,  applied 
to  an  existing  production  program,  which  justi- 
fies the  cost  of  reliability  improvement  by  ex- 
pressing the  resulting  benefits  in  terms  of 
dollars  and  cents  and  also  studies  the  sensi- 
tivity of  the  estimated  savings  to  variations  in 
the  basic  assumptions.  This  makes  it  possible 
to  evaluate  the  program  in  terms  of  an  investment 
having  specified  risks  and  a significant  return, 
bringing  it  closer  to  a strict  management- 
accounting type  of  decision, 

INTRODUCTION 

In  the  discussion  of  Reliability  at  sympo- 
siums and  in  literature,  certain  axioms  have  been 
emphasized  many  times.  Two  of  these  are; 

1,  reliability  must  begin  with  design,  and 

2,  reliability  adds  to  initial  cost  but  re- 
duces maintenance  cost. 

These  axioms  were  substantiated  in  a program 
recently  completed  at  RAC.  Techniques  of  esti- 


mating savings  due  to  reliability  improvement, 
so  often  advocated  in  general  terms,  were 
applied  to  a specific  production  program  with 
results  indicating  that  high  reliability  returns 
tremendous  savings  to  the  customer.  The  program 
that  will  be  discussed  had  one  large  drawback, 
and  that  is,  despite  the  estimated  savings,  the 
program  came  too  late  in  the  weapon  system  pro- 
curement cycle,  If  the  considerations  given  to 
the  subject  program  had  been  given  to  the 
original  design  and  procurement  of  the  various 
sub-systems,  the  overall  savings  to  the  customer 
would  have  been  much  greater. 

In  the  case  of  the  F-105  Weapon  System,  the 
original  specifications  for  both  GFE  and  CFE 
electronic  systems  were  written  early  in  the 
past  decade,  omitting  the  present  emphasis  on 
specific  reliability  requirements.  The  Aircraft 
Industry  received  its  greatest  impetus  to  apply 
specific  reliability  efforts  at  the  Santa 
Barbara  Reliability  symposium  in  1957,  There 
is,  of  course,  no  definite  proof  that  such 
effort,  initially  applied  to  the  FI 05  electronic 
systems,  would  have  resulted  in  systems  with 
presently  achieveable  reliability.  However,  it 
is  felt  that  formal  reliability  analysis,  design 
review  procedures  and  reliability  demonstration 
testing  would  have  resulted  in  more  reliability 
in  the  early  systems,  In  all  fairness  to  the 
equipment  manufacturers, most  of  the  F10S  elec- 
tronic equipment  was,  even  in  the  early  stages, 
considerably  more  reliable  than  similar  systems 
of  comparable  complexity. 

The  reliability  problem  associated  with 
these  complex  integrated  electronic  systems  is 
well  known.  It  is  the  problem  created  by  the 
product  rule  which  requires  that  a high  degree 
of  reliability  be  achieved  in  each  individual 
system  to  assure  sufficient  reliability  of  the 
integrated  electronics  system.  It  became  appar- 
ent very  early  in  the  production  of  the  F105 
that  to  achieve  the  required  effectiveness  of 
the  weapon  system,  the  reliability  of  the  inte- 
grated electronics  system  should  be  increased, 
while  the  non-electronic  systems  evidenced  an 
acceptable  reliability  growth  and  therefore  did 
not  require  an  intense  improvement  effort. 

RELIABILITY  IMPROVEMENT  PROGRAM 

The  subject  program,  designated  "RIP",  in- 
volved : 

1,  the  determination  of  the  optimum  MTBF 


423 


that  could  be  obtained  in  the  various  systems 

2,  the  solicitation  of  technical  and  cost 
proposals  from  the  various  affected  suppliers, 
and 

3.  the  analysis  of  the  reduction  in  spares 
and  repair  costs  that  would  result  from  this  im- 
proved MTBF . 

Of  course  there  are  other  reasons  for  im- 
proving reliability,  for  example,  to  improve 
mission  completion  capability.  However,  if  rel- 
iability is  designed  into  the  system  to  minimize 
operating  expenses  during  peacetime  operation,  a 
high  mission  completion  reliability  will 
normally  result.  Most  of  you  are  involved  in 
designing  and  building  systems  which,  it  is 
hoped,  will  spend  their  useful  lives  in  defend- 
ing the  peace.  If  the  reliability  job  is  done 
adequately  for  this  purpose;  that  is,  the  equip- 
ment is  designed  to  be  reliably  stored,  trans- 
ported, ground  checked,  flight  tested,  etc.,  not 
only  will  it  pay  off  economically,  but  the  rel- 
iability potential  will  be  of  sufficient  degree 
to  satisfy  mission  requirements. 

Economics  of  Reliability 

The  exact  relationship  of  reliability  to 
economics  is  difficult  to  determine.  You  are 
undoubtedly  familiar  with  the  general  reliabi- 
lity cost  relation  which  has  been  published 
many  times  in  the  past  (Figure  1).  As  reliabi- 
lity is  increased,  the  initial  cost  will  in- 
crease to  some  point  where  further  improvement 
could  only  be  obtained  at  tremendous  cost. 
Similarly,  as  reliability  is  increased,  the  cost 
of  maintenance  support  is  reduced  to  some  point 
where  further  increase  in  reliability  has  a 
negligible  effect  in  the  reduction  of  mainten- 
ance cost.  The  total  cost  is  represented  by  the 
curve  plotted  from  the  summation  of  the  first 
two  curves.  The  optimum  is  the  low  point  of  the 
total  cost  curve,  where  maximum  reliability  is 
obtained  for  the  lowest  cost. 

If  improved  reliability  can  have  a benefic- 
ial effect;  then  low  reliability  can  have  an  ad- 
verse effect.  Low  reliability  affects  the  prime 
and  sub-contractor  by  increasing: 

1.  testing  required  before  acceptance, 

2.  equipment  removals  during  the  manufac- 
turing process, 

3.  repairs  and  maintenance  at  the  factory, 

4.  stock  requirements  during  manufacture, 

5.  production  flow  time, 

6.  field  liaison,  and 

7.  obligation  of  rework  under  contract 
warranty  clauses,  or  loss  of  profit  under  con- 
tract incentive-penalty  clauses,  each  of  which 
increases  production  costs. 

Low  reliability  affects  the  customer  by 
increasing : 

1.  spares  requirements, 

2,  repair  facility  requirements  at  the 


base  and  depot  levels, 

3,  manpower  requirements,  and 

4.  quantity  requirements  for  critical 
skills . 

Each  of  the  above  reduces  weapon  system 
utilization  rate  and  the  probability  of  complet- 
ing a mission. 

F105  Integrated  Electronics 

The  integrated  electronics  system  of  the 
F105  consists  of  seven  individual  electronic 
sub-systems : 

1.  Auto  Pilot 

2.  Doppler  Navigation  System 

3.  GIN 

4.  All  Attitude  Reference  System 

5.  Integrated  Instruments 

6.  Central  Air  Data  Computer,  and 

7*  Fire  Control  System, 

In  the  discussion  that  follows,  MTBF  figures 
have  been  altered  to  avoid  security  violations; 
changes  have  also  been  made  in  the  cost  figures 
to  avoid  disclosure  of  proprietary  information. 
The  paper  describes  the  technique  used  to  esti- 
mate the  magnitude  of  savings  that  can  result 
from  achieving  high  reliability  in  the  equip- 
ment. The  exact  information  can  be  made  avail- 
able upon  request  through  proper  channels. 

Figure  2 lists  the  MTBF  of  each  system  when 
the  program  was  initiated  in  January  1961;  and 
the  MTBF  that  was  expected  to  be  achieved  thru 
normal  growth  by  July  1963,  such  growth  being 
attained  through  the  normal  changes  to  the  sys- 
tem resulting  from  ECP’s,  etc.  Also  indicated 
in  this  figure  is  the  ultimate  MTBF  goal  that 
was  desired  for  each  of  the  various  systems. 

This  goal  was  established  to  achieve  a 98%  rel- 
iability of  the  integrated  electronics  system 
for  a 2 hour  mission  with  all  subsystems  oper- 
ating, It  should  be  noted  that  this  requirement 
does  not  reflect  a mission  completion  require- 
ment since  redundancy  within  systems  and  redund- 
ancy between  systems  would  become  applicable, 
However,  full  operation  of  all  subsystems  is  a 
requirement  of  the  contractor  for  delivery  of 
the  weapon  system.  Therefore,  a goal  was  estab- 
lished to  have  no  more  than  two  failures  in  the 
electronic  systems  out  of  every  100  production 
flight  tests. 

The  Mean  Time  Between  Failures  allocation 
to  the  various  subsystems  was  based  on  system 
complexity,  state  of  the  art  in  the  development 
of  the  system,  and  the  effect  that  each  sub- 
system has  on  the  mission  completion  capability 
of  the  aircraft. 

Ground  Rules  for  Improvement 

The  next  step  in  the  program  was  to  contact 
each  of  the  equipment  vendors  (seven  GFE  and  one 
CFE) , in  regard  to  improving  the  reliability  of 


b2k 


each  of  the  systems.  Certain  ground  rules  were 
established,  which  limited  the  type  and  degree 
of  change  that  could  be  made. 

1,  Each  of  the  vendors  was  requested  to 
provide  cost  and  schedules  to  achieve  100%,  75%, 
50%,  and  25%  of  the  ultimate  MTBF  goal. 

2,  Any  improvement  in  reliability  would 
have  to  be  available  for  installation  in  the 
aircraft  18  months  after  contract. 

3,  The  redesigned  systems  must  be  inter- 
changeable with  the  existing  systems;  i.e,,  no 
major  aircraft  redesign  required, 

4,  Any  MTBF  that  was  predicted  would  have 
to  be  demonstrated  by  an  environmental  test 
similar  to  AGREE  but  modified  to  represent  F105 
requirements. 

Each  of  the  vendors  submitted  proposals  to 
accomplish  the  improved  reliability  giving  costs 
and  schedules  to  achieve  various  levels  to  per- 
mit analysis  of  cost  vs,  reliability  trade-offs. 
The  level  that  was  selected  for  each  of  the 
various  systems  is  shown  in  Figure  2,  These 
levels  were  selected  after  analyzing  each  pro- 
posal for  its  effect  on  costs,  schedules,  over- 
all capability  of  the  weapon  systems,  and  the 
probability  of  attaining  the  level  specified. 

In  some  cases,  higher  MTBF  levels  could  have 
been  obtained  at  the  expense  of  reducing  weapon 
system  capability  or  at  the  expense  of  consider- 
able redesign  of  the  aircraft  and  AGE. 

Having  considerable  operational  experience 
with  these  systems  provided  the  prime  and  sub- 
contractor with  some  advantages  in  this  program. 
One  of  these  advantages  was  that  there  were 
considerable  data  available  to  indicate  the 
areas  in  each  system  that  should  be  redesigned 
or  modified  for  reliability  improvement, 

Improvement  Techniques 

In  addition  to  certain  specific  improve- 
ments, most  of  the  sub-contractors  followed  the 
general  approach  shown  below: 

1,  Use  of  higher  reliability  piece  parts. 

2,  Elimination  of  adjustments  and  trim 

pots , 

3,  Replacement  of  tubes  with  transistors, 

4,  Incorporation  of  circuit  redundancy. 

5,  Simplification  of  many  of  the  circuits, 

6,  Performing  environmental  type  rel- 
iability tests. 

7,  Greater  derating  of  piece  parts. 

Effect  on  Reliability 

A comparison  of  system  reliability,  before 
and  after  improvement,  can  be  seen  in  Figure  3, 
This  chart  indicates  the  reliability  of  each 
individual  system,  for  a two  hour  mission,  and 
the  overall  reliability  obtained  from  the  pro- 
duct of  the  reliability  of  the  individual  sys- 
tems, The  total  reliability  in  January  1961 
was  about  59%,  the  predicted  growth  reliability 


was  78%  and  the  reliability  that  would  result 
from  the  Reliability  Improvement  Program  is  90%, 

PROGRAM  MANAGEMENT 

In  a program  such  as  this,  the  weapon  system 
prime  contractor  (Program  Manager,  Figure  4) 
must 

1,  furnish  all  statistical  failure  data 
available  that  will  aid  in  selecting  areas  in 
need  of  improvement : 

2,  monitor  all  tests  that  are  required, 

3,  prepare  equipment  specifications  re- 
gardless of  whether  the  affected  equipment  is 
CFE  or  GFE, 

4,  co-ordinate  the  preparation  of  test 
bulletins,  operations  sheets,  technical  orders, 
etc.  to  assure  that  changes  to  the  systems  are 
conveyed  to  maintenance  and  operating  personnel 
as  well  as  factory  personnel; 

5,  evaluate  reliability  demonstration 
tests , 

6,  standardize  on  a time  and  failure  re- 
porting program  for  all  vendors, 

7,  assure  compatibility  between  the  im- 
proved electronic  system  and  the  airframe,  and 

8,  monitor  equipment  in  the  field. 

It  is  particularly  important  that  interact- 
ing systems  be  fully  tested  and  integrated 
prior  to  installation  in  the  airframe.  Every 
production  program  has  a carefully  planned 
delivery  schedule;  changes  must  not  be  intro- 
duced that  would  delay  that  schedule.  Strict 
attention  to  details  must  be  maintained,  since 
very  often  newly  designed  or  modified  units  can 
cause  more  difficulty  than  the  original  units, 

A program  as  complex  as  the  Reliability  Im- 
provement Program  therefore  must  have  close 
coordination  and  thorough  reliability  testing. 

JUSTIFICATION 

The  cost  of  such  a program  is  justified  in 
terms  of  benefits  either  directly  or  indirectly 
related  to  dollars. 

In  analyzing  the  benefits  to  any  supplier 
(prime  or  sub-contractor),  they  may  be  separated 
into  three  general  categories;  Dollars,  Reputa- 
tion, and  Product.  The  improvement  in  reliabi- 
lity affects  production  costs,  generally  re- 
sults in  a less  expensive  but  always  improved 
product  which  in  turn  improves  the  contractor^ 
reputation  for  production  of  highly  reliable 
equipment , 

To  the  customer,  improvement  in  reliability 
of  the  integrated  electronic  systems  will  have 
a beneficial  effect  in  several  areas,  all  of 
which  reduce  the  cost  of  fleet  support.  In 
general,  the  areas  which-  benefit  include  the 
following: 

1.  Peacetime  spares  requirements  are  re- 
duced, together  with  repair  facilities  and  per- 
sonnel workload. 


425 


2*  Personnel  requirements  are  reduced, 
favorably  affecting  quantity  requirements  for 
critical  skills* 

3,  War  reserve  requirements  are  drastic- 
ally reduced  while  maintaining  at  least  the  same 
fleet  support  capability  as  without  the  improve- 
ment in  reliability* 

4,  Site  and  weight  of  flyaway  kits  are 
drastically  reduced,  resulting  not  only  in  a 
decrease  in  cost  but  an  increase  in  fleet 
mobility  while  maintaining  the  same  support 
capability* 

5,  Aircraft  utilization  is  increased  and 
turn-around  time  reduced  resulting  in  more  air- 
craft in  serviceable  status  with  the  same  main- 
tenance effort  or  the  same  number  of  serviceable 
aircraft  attained  with  less  maintenance  effort* 

6*  The  probability  of  successfully  com- 
pleting a mission  is  increased. 

The  basic  "ground  rule"  for  this  study  has 
been  that  the  non-recurring  cost  of  implementing 
such  a program  must  be  recoverable  within  2 years 
through  the  resulting  savings  in  peacetime 
spares  requirements,  less  recurring  costs* 

No  benefits  other  than  peacetime  savings 
in  spares  have  been  considered.  The  limitation 
to  peacetime  savings  was  made  after  an  attempt 
to  obtain  data  for  the  determination  of  savings 
in  war  reserve  materiel  indicated  that  no  one 
acceptable  technique  for  requirements  computa- 
tion could  be  established,  Similar  problems 
were  encountered  in  attempting  to  investigate 
savings  in  personnel,  warehousing,  and  trans- 
portation, It  is  obvious  that  limitation  of 
estimated  savings  to  peacetime  spares  leads  to 
a conservative  estimate  of  total  savings  to  the 
customer* 

The  cost  of  reliability  improvement  effort 
to  be  applied  to  individual  systems  was  optimiz- 
ed by  comparing  the  potential  peacetime  savings 
with  program  cost.  The  entire  package  was  then 
reviewed  to  assure  that  the  total”  savings  for 
improvement  in  reliability  was  sufficient  to 
recover,  within  two  years,  the  cost  of  imple- 
menting the  program*  The  sensitivity  of  esti- 
mated savings  to  (a)  reduction  in  total  equip- 
ment operating  time  and  (b)  partial  accomplish- 
ment of  predicted  reliability  improvement  was 
also  prepared  to  indicate  systems  most  likely 
to  contribute  substantial  savings  in  peacetime 
spares  * 

Logistics 

Annual  reports  of  the  Air  Force  Spares 
Study  Group  outlined  in  general  the  effect  of 
present  war  plans  on  logistics  requirements* 
Implicit  in  the  war  plan  is  the  concept  that  any 
future  war  will  be  fought  with  materials,  wea- 
pons, and  resources  "in  being"  and  deployed 
with  combat  forces*  As  a result,  it  has  been 
decided  to  implement  this  concept  with  a drive 
to  improve  base  self-sufficiency,  minimize  the 
base  and  depot  repair  cycles  and  improve  air- 
craft utilization.  Each  of  these  goals  must  be 


accomplished  in  peacetime  in  preparation  for  a 
war  situation* 

The  improvement  of  base  self-sufficiency 
and  repair  cycle  time  is  primarily  an  Air  Force 
in-house  problem  which  can  be  considerably  en- 
hanced by  the  various  manufacturers  through 
simplification  of  airborne  equipment  and  the 
incorporation  of  maintainability  principles* 

Every  effort  should  be  made  to  improve  main- 
tainability at  the  same  time  that  an  improvement 
in  reliability  is  incorporated  through  redesign. 
However,  the  benefit  gained  from  increased  base 
repair  capability  was  not  considered  in  calculat- 
ing the  resulting  savings  in  support  requirements. 

Hie  improvement  in  aircraft  utilization  is 
very  definitely  affected  by  an  improvement  in 
reliability  (or  mean  time  to  failure),  since  the 
number  of  equipment  failures  is  directly  re- 
duced , 

Peacetime  Stock 

Neglecting  War  Reserve  Materiel , the  stock- 
age  objective  consists  of  a peacetime  stock 
level  (Operating  Stock  Level)  sufficient  to 
maintain  the  fleet  in  planned  peacetime  activity 
for  a period  of  45  days  without  regard  to  re- 
parables returned*  In  addition  to  the  stock 
level,  the  supply  pipeline  must  be  full  in  order 
to  achieve  a constant  return  flow  of  reparables 
to  the  using  command  (Operating  Requirement)* 

The  purpose  of  the  peacetime  stock  level  is  to 
absorb  any  sudden  fluctuations  in  demand  due  to 
an  unanticipated  increase  in  flying  activity  or 
a sudden  decrease  in  the  flow  of  reparables  re- 
turned* 

Sensitivity  of  the  number  of  spares  in  the 
supply  pipeline  (Figure  5)  to  an  increase  in 
MTBF  is  dependent  upon  the  base  repair  capabi- 
lity associated  with  the  particular  component  to 
be  repaired.  Spares  requirements  for  components 
with  a low  base  repair  capability  are  extremely 
sensitive  to  an  increase  in  mean  time  between 
failure,  resulting  in  extensive  savings. 

Items  in  the  repair  pipeline  not  only  add 
to  peacetime  costs  but  are  useless  in  the  present 
war  concept  which  depends  upon  materiel  and 
forces  "in  being".  The  number  of  items  in  the 
supply  pipeline  can  be  reduced  by  increasing  base 
repair  capability,  reducing  repair  cycle  time,  or 
increasing  MTBF, 

The  peacetime  stock  level,  which  does  not 
consider  reparables  returned,  is  inversely  re- 
lated to  mean  time  betweeen  failure.  For  ex- 
ample, if  MTBF  is  doubled,  the  peacetime  stock 
level  can  be  cut  in  half. 

The  repair  pipeline  and  the  peacetime  stock 
level,  then,  are  two  fertile  areas  for  potential 
spares  savings, 

The  technique  used  to  estimate  the  savings 
in  peacetime  spares  is  based  upon  an  analysis 


426 


which  does  not  consider  random  variation  in  de- 
mand for  spares.  This  does  not  materially  affect 
the  accuracy  of  the  analysis*  since  the  failure 
rate  base  was  Mean  Time  Between  Failure,  result- 
ing in  an  estimated  demand  which  is  a mean  for 
the  random  variation.  As  a result,  the  indicat- 
ed savings  for  the  first  quarter  shown  in  the 
sample  computation  below*  may  not  be  realized 
the  first  quarter. 

Conservative  Estimate 

The  components  under  investigation  are 
limited  to  major  sub-assemblies  only  (black  box 
level).  That  is*  the  savings  in  requirements 
for  spare  modules  (lower  than  black-box  level) 
was  not  included.  In  addition,  it  was  assumed 
that  the  condemnation  and  wearout  rates  were 
sufficiently  negligible  (less  than  1%)  that 
omission  of  these  requirements  would  have  little 
effect  on  the  final  result, 

The  omission  of  spares  support  requirements 
for 

- base  pipeline 

- equipment  lower  than  black-box  level 

- equipment  condemned 

- equipment  worn-out 

leads  to  additional  conservatism  in  the 
estimate  of  dollar  savings  in  peacetime  spares 
support, 

Basic  Assumptions 

For  the  purpose  of  this  analysis*  spares 
requirements  and  spares  availability  were  assum- 
ed to  be  in  constant  equilibrium.  In  other 
words*  if  a comparison  of  requirement  and  avail- 
ability indicated  the  need  for  additional  spares 
for  a particular  quarter*  the  needed  spares  were 
considered  to  be  immediately  available;  the  cost 
of  this  pre-planned  purchase  was  then  charged  to 
the  associated  fleet  configuration  for  the 
quarter  in  which  the  requirement  appeared.  This 
assumption  further  indicates  that  the  repair 
pipeline  is  always  full  and  that  the  peacetime 
stock  level  is  always  adequate  for  each  quarter 
through  advanced  planned  purchases  (Provisioning 
Conferences  and  Replenishment  Planning),  The 
only  reason  for  increased  requirements  in 
succeeding  quarters  is  the  increased  number  of 
flying  hours  due  to  the  increase  in  fleet  size. 
Hie  same  need  could  result  from  a stable  fleet 
size  but  an  increase  in  flying  activity.  Since 
wearout  and  condemnation  were  not  considered* 
should  the  fleet  flying  hour  rate  be  held  con- 
stant there  would  be  no  need  for  additional 
purchase  of  spares. 

The  estimate  of  potential  savings  in  spares 
requirements  was  concentrated  in  the  two  areas 
stressed  above,  namely*  the  peacetime  stock 
level  and  the  supply  pipeline.  The  technique 
used  was  to  compare  the  requirements  for  a 
fleet  having  the  RIP  configuration  with  the  re- 
quirements for  a fleet  which  does  not  have  the 


benefit  of  an  intense  reliability  improvement 
program. 

In  the  assumed  situation*  F105D  KIP  aircraft 
are  delivered  to  the  Air  Force  starting  in 
January  1964  at  a rate  of  60  aircraft  per 
quarter,  or  240  aircraft  per  year,  for  a period 
of  two  years,  Spares  requirements  for  the  RIP 
fleet  are  based  upon  the  MTBF  estimated  by  the 
various  suppliers  as  achieveable  by  19f)4  through 
the  concentrated  Reliability  Improvement  Program, 

Hie  non-RIP  Fleet  consists  of  F10SD  air- 
craft, of  the  present  basic  configuration,  each 
aircraft  containing  an  integrated  electronic 
system  improved  only  through  normal  growth  (FCP 
action).  The  production  rate  was  also  60  per 
quarter  or  240  aircraft  per  year*  for  a period 
of  two  years.  Spares  requirements  for  the 
"growth"  fleet  were  based  upon  the  MTBF  esti- 
mated as  achieveable  through  normal  growth  by 
1964.  This  projected  MTBF  was  extrapolated 
from  a 5 year  history  of  FIGSP  electronic  equip- 
ment measured  MTBF*  and  system  reliability 
growth  potential.  In  both  cases*  that  is  For 
the  "growth"  and  RIP  fleets*  it  was  assumed  that 

1,  the  flying  hour  program  is  7$  hours  per 
aircraft  per  quarter  and 

2,  the  peacetime  attrition  rate  is  12  air- 
craft per  100,000  flying  hours. 

Power-on  operating  time  is  the  only  base  for 
acceptable  measure  of  mean  time  between  failure 
for  electronic  equipment.  It  is  assumed  that  all 
electronic  equipment  is  in  operation  during  all 
flights*  and  that  the  ratio  of  ground  to  flight 
operating  time  for  all  electronic  systems  is 
3:1  (the  ratio  at  the  RAC  production  flight  line 
varies  from  6:1  to  15:1  depending  upon  the 
particular  system  in  question).  The  signific- 
ance of  this  ratio  is  that  each  piece  of  equip- 
ment is  operated  three  hours  on  the  ground  for 
each  hour  of  flight.  Computations  were  then 
repeated  for  ratios  of  2:1  and  1:1, 

All  items  in  base  repair  were  considered  to 
be  returned  within  the  quarter*  thus  requiring 
no  spares  to  support  the  base  repair  pipeline. 

The  depot  repair  cycle  was  assumed  to  be  38  days 
for  all  components*  resulting  in  the  return  of 
5S%  of  all  depot  reparahles  within  the  quarter 
in  which  the  components  failed*  and  42%  returned 
in  the  succeeding  quarter.  Bach  component  was 
evaluated  as  to  its  capability  of  being  repaired 
at  base  level  through  use  of  the  latest  applic- 
able High  Value  Review  Board  Check  Sheet  (AM C 
Form  231)  and  discussion  with  Field  Service 
specialists  thoroughly  familiar  with  the  air- 
borne equipment  and  Air  Force  base  repair 
capability.  Base  repair  capability  is  expressed 
as  a percent  of  all  failures  estimated  to  be  re- 
parable at  organization  or  field  level. 

Estimating  Technique 

The  number  of  failures  per  component  per 


42? 


quarter  year  was  determined  by  dividing  the  est- 
imated average  number  of  equipment  operating 
hours  accumulated  by  the  installed  equipment  in 
fleet  inventory  during  the  quarter  under  invest- 
igation, by  the  Mean  Time  Between  Failure  of  the 
component  in  question.  The  quantity  of  service- 
able components  available  within  the  current 
quarter  was  determined  through  application  of 
the  base  and  depot  repair  capability  estimates 
together  with  the  estimated  percent  of  depot  re- 
parables returned  within  the  quarter.  The  total 
depot  reparables  returned  consists  of  42%  of 
those  failed  components  returned  to  the  depot 
during  the  preceeding  quarter  as  well  as  58%  of 
those  returned  to  the  depot  during  the  current 
quarter. 

The  entire  analysis  is  based  upon  the  tech- 
niques described  in  AMCM  400-1  and  Spares  Study 
Group  Report  No,  8 (December  1958)  and  outlined 
in  AMC  Form  326,  Only  those  calculations  were 
used  which  are  involved  in  determining  the  peace- 
time stock  level  and  depot  repair  pipeline  re- 
quirements, With  this  limitation,  in  addition 
to  the  limitations  imposed  by  the  basic  assump- 
tions previously  described,  it  was  possible  to 
eliminate  the  following  computations: 

1,  WRM  replacements,  (War  Reserve  Materiel) 

2,  FAK  requirements  (Flyaway  Kits) 

3,  Overhaul  support  requirements 

4,  Condemnation  and  wearout  replacements 

5,  Support  of  non-recurring  requirements 

6,  Planning  of  the  Material  Repair  System 

7,  Planning  for  Procurement 

8,  Spares  distribution  to  user  bases 

9,  Retention  level  planning 

Typical  Computation 

A sample  spares  requirement  computation  is 
shown  in  Figures  6 and  7 for  an  Autopilot 
MBlack  Box”,  The  computation  essentially 
follows  the  procedure  outlined  in  AMC  Form  326, 
as  previously  stated.  This  single  computation, 
for  only  one  sub-assembly  within  the  autopilot 
subsystem,  indicates  the  tremendous  potential 
for  savings  in  spares  requirements,  for  a 
quarterly  saving  of  over  $88,000  (25  pcs)  is 
estimated  to  be  realized.  The  same  technique 
was  repeated  for  all  major  components  of  each 
subsystem  to  produce  the  total  estimated  annual 
savings  of  $54,000,000  compared  to  an  estimated 
Reliability  Improvement  Program  non-recurring 
cost  of  some  $25,500,000  (Figure  8), 

Sensitivity  Tests 

In  computing  the  savings  in  spares  require- 
ments due  to  the  improvement  in  reliability  of 
the  airborne  electronic  equipment,  several 
assumptions  were  made,  all  of  which  have  been 
discussed  in  previous  sections  of  this  paper. 

All  of  the  assumptions  are  considered  to  be  in 
the  direction  resulting  in  a conservative  esti- 
mate of  savings.  Two  assumptions  which  may  not 
appear  to  be  conservative  are: 


a.  that  the  estimated  reliability  achieve- 
ment will  in  fact,  be  achieved,  and 

b.  that  the  ratio  of  ground  operating 
time  to  flight  time  is  3 hours  on  the  ground  to 
each  hour  of  flight. 

Since  computed  savings  are  affected  by  these 
parameters,  the  computation  of  savings  was  re- 
peated to  indicate  the  sensitivity  of  savings  to 
partial  achievement  of  estimated  reliability 
improvement  and  to  a reduction  in  equipment  total 
operating  time  (essentially  a reduction  in  the 
ratio  of  ground  time  to  flight  time).  Figures  8, 
9,  and  10  include  the  results  of  a computation 
of  estimated  savings  with  ground  time  to  flight 
time  operating  ratios  of  3:1,  2:1,  and  1:1;  in 
addition  to  the  effect  of  achieving  100%,  75%, 
50%,  and  25%  of  the  estimated  improvement  in 
reliability. 

The  results  of  this  analysis  indicate  that 
the  Doppler  Navigator,  Central  Air  Data  Com- 
puter and  NASARR  Radar  have  the  most  potential 
for  dollar  savings  in  peacetime  spares.  In 
particular,  the  Doppler  system  improvement  re- 
sulted in  not  only  an  improvement  in  reliability 
but  a substantial  reduction  in  estimated  price, 
such  that  significant  savings  are  realized 
even  if  no  reliability  improvement  is  achieved. 

Proposed  improvement  of  the  Vertical  Tapes. 
(Integrated  Instruments)  and  All  Attitude 
Platform  do  not  indicate  as  dramatic  a saving 
as  with  the  systems  discussed  above.  Proposed 
improvement  of  the  Automatic  Flight  Control, 
Communication-Information-Navigation  and  Toss 
Bomb  Computer/ Sight  Display  systems  show  ex- 
treme sensitivity  to  partial  accomplishment  of 
estimated  improvement  and  reduction  in  equipment 
operating  hours. 

Although  large  peacetime  savings  are  not  in- 
dicated for  every  subsystem,  the  non-assessed 
benefits,  such  as  increased  aircraft  utilization, 
improved  mobility  of  flyaway  kits,  increased 
probability  of  completing  a mission  and  reduced 
maintenance  requirements,  may,  in  the  opinion  of 
the  customer,  counterbalance  comparatively  small 
peacetime  savings  sufficiently  to  make  the  im- 
provement in  reliability  worthy  of  the  invest- 
ment required, 

MISSION  COMPLETION  CAPABILITY 

One  of  the  primary  effects  of  improving  the 
reliability  of  the  F105D  electronic  systems  is 
the  corresponding  increase  in  mission  completion 
probability.  That  is,  the  likelihood  that  the 
weapon  system  will  function  in  such  a manner 
that  the  mission  objective  will  be  achieved. 

There  are  two  essential  mission  objectives  which 
must  be  satisfied;  that  of  the  Contractor  and 
that  of  the  using  agency. 

The  Contractor's  objective  is  to  deliver 
the  weapon  system  to  the  customer  with  all  sub- 
systems fully  operational.  The  Air  Force  ob- 


^28 


jective  is  to  successfully  complete  a combat 
mission  with  the  weapon  system.  Consequently 
the  Air  Force  is  concerned  with  the  probability 
that  each  sub-system  will  operate  normally  for 
the  time  required  to  fulfill  its  function  in  the 
course  of  the  mission.  While  certain  equipment 
failures  can  occur  without  affecting  combat 
mission  completion,  Air  Force  acceptance  of  the 
weapon  system  requires  that  the  Contractor  de- 
monstrate full  operation  of  all  systems  prior 
to  delivery.  Since  the  two  objectives  are 
apparently  incompatible,  they  shall  be  considered 
separately  to  demonstrate  the  individual  effects 
of  improving  system  and  component  reliability. 

Republic’s  time  and  Failure  Reporting  Pro- 
gram has  produced  a wealth  of  production  line 
reliability  data  with  which  to  directly  compute 
the  probability  of  production  acceptance  of  the 
F105D  electronic  systems.  By  applying  this  data 
to  typical  combat  mission  profiles,  the  prob- 
ability of  mission  completion  can  also  be  readily 
computed.  The  following  is  a description  of  the 
methods  used  in  deriving  these  two  probabilities. 

Three  stages  of  system  and  component  rel- 
iability, expressed  as  Mean  Time  Between  Fail- 
ures, were  used  as  the  basis  for  the  analysis. 

TheT  first  stage  is  the  reliability  of  systems 
now  being  produced.  The  second  stage  represents 
the  reliability  achievable  in  two  years  through 
normal  growth,  based  upon  projected  system  im- 
provements brought  about  through  ECP  action, 
normal  component  refinement,  and  advancement  on 
the  "learning  curve".  This  is  usually  accomp- 
lished without  significant  change  in  basic  sys- 
tem design.  The  third  stage  is  that  level  pro- 
posed by  the  system  sub-contractors  for  signi- 
ficant system  improvement. 

Production  Acceptance 

USAF  acceptance  of  the  weapon  system  from 
the  contractor  has  been  assumed  to  require  that 
every  subsystem  of  the  F105D  electronic  system 
operate  without  failure  for  a two  hour  flight, 
Using  the  system  failure  rates  described  in  the 
foregoing  section  and  the  equation  of  the  ex- 
ponential function, 

-t/T 

P = e 

where : 

P = probability  of  successful  completion 
e = Naperian  Base,  2.7183, 
t a equipment  operating  time  = 2 hours, 

T = Mean  Time  Between  Failures,  hours  and 
1/T  = Failure  Rate, 

the  improvement  in  probability  of  an  Air  Force 
acceptance  pilot  experiencing  no  electronic  sys- 
tem failures  during  a total  of  two  flight  hours 
on  one  aircraft  was  found  to  be  a 9%  increase  in 
acceptance  probability  at  the  end  of  two  years 
through  normal  product  improvement.  If,  however, 


the  proposed  Reliability  Improvement  Program  is 
undertaken,  an  increase  of  36%  in  acceptance 
probability  is  achieveable  in  the  same  time 
period. 

Mission  Completion 

The  probability  of  acceptance  given  in  the 
preceding  section  is  a convenient  measure  of 
the  total  reliability  of  the  F10SD  integrated 
electronic  systems  operating  for  two  hours  in 
flight.  Hqwever,  an  indication  of  weapon  sys- 
tem combat  effectiveness  is  the  probability  of 
the  electronic  systems  operating  properly  dur- 
ing the  mission  for  which  the  weapon  system  was 
designed.  Representative  basic  missions  of  the 
F105D  (2  hours  duration)  were  analyzed  for 
various  weather,  weapon  and  delivery  modes  to 
determine  electronic  system  mission  completion 
probability.  Subsystems  included  in  each 
mission  analysis  were  limited  to  those  required 
to  accomplish  the  particular  mission  under 
study,  each  of  which  were  assumed  to  operate 
for  the  full  duration  of  the  mission. 

The  three  stages  of  system  reliability  and 
the  equation  previously  described  were  used  in 
the  computation  of  electronic  system  mission 
completion  probabilities  with  the  qualification 
that  only  system  modes  were  included  which  were 
required  for  the  particular  mission. 

The  normal  growth  improvement  in  electronic 
system  probability  of  mission  completion  is 
thus  estimated  to  be  6%,  while  the  RIP  program 
would  yield  a corresponding  improvement  of  18%, 
These  figures  were  found  to  be  approximately 
the  same  for  both  the  LO-LO-LO-Hi  and  the  HI- 
L0- LO-fll  mission  profiles,  under  blind  weather 
conditions.  In  clear  weather,  the  MTBF’s  are 
higher,  but  the  percent  improvement  is  about  the 
same, 

CONCLUSION 

Reliability  is  an  investment  that  returns 
dollars  to  the  customer  in  the  form  of  reduced 
cost  of  maintenance  support  and  increased 
efficiency  of  the  weapon  system.  However,  if 
the  investment  is  delayed  so  that  the  result 
appears  late  in  the  operational  life  of  the 
weapon  system,  the  necessary  investment  to 
achieve  the  same  result,  will  increase.  This  is 
due  to  the  necessary  reduction  in  the  flexibi- 
lity of  permissable  changes  as  the  quantity  of 
existing  systems  increases  and  the  quantity  of 
future  production  decreases.  In  addition, 
flexibility  is  further  reduced  as  more  Aero 
Ground  Equipment  is  introduced  which  requires 
additional  expenditure  of  funds  to  make  the 
equipment  compatible  with  modifications  to  the 
airborne  equipment. 

Studies  have  further  indicated  that  it  is 
extremely  difficult,  if  not  impossible,  to  fin- 
ancially justify  retrofit  costs,  for  the  cost  of 
retrofit  is  a direct  expenditure  that  cannot  be 
compared  with  anything  but  the  cost  of  not  per- 


429 


forming  retrofit  * which  is  no  cost  at  all.  In 
addition,  supporting  spares  are  scheduled  to  be 
on  hand  prior  to  delivery  of  the  equipment  to 
be  maintained.  Therefore,  if  sufficient  spares 
were  procured,  an  improvement  in  reliability 
of  the  basic  equipment  will  create  a surplus  of 
supporting  spares,  rather  than  a saving  in 
future  procurement.  The  only  saving  that  can 
be  realized  in  a retrofit  program  to  improve 
reliability  is  in  the  area  of  reduced  manpower 
requirements,  reduced  requirement  for  replace- 
ment bits  and  pieces  and,  reduced  requirement 
for  additional  spares  (if  additional  spares 
must  be  procured) , 

In  summary,  maximum  benefit  is  obtained 
from  early  investment  in  reliability,  which 
will  increase  first  cost,  but  which  must  be  con- 
sidered as  an  investment  with  a virtually  guar- 
anteed return. 


430 


F/GORE  1 

cos  T ™ fi£L/ABlL /T Y 


F/GURE  a 

SYSTEM  MTBF 


SYSTEM 

jrnurry  I 

/ 9£>/ 

PROJECTED 

/96>3 

l/LT/MRTE 

GOGL 

R/P 

/9  63 

* fill  TOP /LOT 

90 

/oo 

SOO 

/ 90 

*-  DOPPLER 

IS 

20 

SOO 

ISS 

* C/A/ 

SO 

40 

SOO 

Q(=> 

* PL  RT FORM 

ns 

2SO 

9 Z0 

SIB 

* t/- TREES 

350 

500 

1130 

/QSQ 

* CROC 

1 70 

200 

H*QQ 

!Q5Q 

**-  F/RE  CONTROL 

/ 3 

/ 6 

SOO 

4° 

* QF£ 

**■  CFE 

^31 


FKUHE  3 

CUMULflTIVE_  ACCEPTANCE,  REURBIUTY 
ELECTRONIC  SYSTEMS 


*/> 

& Ih  + N 

15 


O 

ea 

CM 

On 

<to 

Os 

O8* 

X 

<3 

% 

<3 

O 

0^ 

©\ 

«Q 

€h 

Os 

Os 

<* 

VJ 

Os 

Os 

Qs 

§ 

§!  i%  o £ 


^ ^ v» 

•s*  W sfi  . 

Ift  00  Qq 

Os  ^ <3 

«< 

O'  <3Q  (>  s§ 

d d o'  d 

J#/v  / ?6/ 


COMPONENT  PARTS  FLOW 

F/CURE  5~ 


FIGURE  6 


TYP/CAL  REQU/tfEMENTS  COMPUTATION 

iljSL  QUAE  TER  YEAR  0£  OPERATION 
AUTOPILOT  "BLACK  BOX" 

DEP/VAT/OM  OF_  OPERA  T/NG  HO  UPS 

a.  average  mu  ms  eg  of  aircraft  oeuvrr&p  so 

b.  EST/MATE  OF  ATTRITION  O 

C,  A/<S  NUMBER  OF  A*R GRAFT  //V  INVENTORY  30 

d.  FI YING  HOUR  RATE  PER  A/RCRAFT  ?? 

c.  total  fly /mg  hours  Accumulated  bbso 

£ TOTAL  EQUIPMENT  OPES  A T/PJG  MOORS  4000 

CNARAC  TER/3  T/CS  OF  AUTOPILOT  'BLACK  BOX*' 

a . /DEAN  T/N9E  BETWEEN  FA/LORES,  UPS, 

PRESENT  500 

NORMAL  GROWTH  3?te 

P/P  98b 

b.  UN/T  COST  , dollars 

PRESENT  37-5*0 

NORMAL  GROWTH  3SSO 

Rip  35W 

C.  REPAIR  CHAR  AC  TER/ ST  NS  CO  fAMOTY  FOR 
present,  normal  growth  and  r/p 

base  repair  cAPA&tury  os% 

DEPOT  REPAIR  CAPABILITY  3 5^ 

1>£pOT  REPAIR  CYCLE  3 8 d<xyS 

DEPOT  REPARABLES  RETURNED  /M  CURRENT  Lp  58% 

DEPOT  REPARABLES  RETURNED,  SUCCEEDING  <p  4?  % 

AY'/}  COST,  REPAIR  B/TS  And  PIECES  # &.2E 

^35 


F/CURE  r 


TYP/CAL  RE QUJREMEMTS  COMPUTATION 


F/R5T  QUARTER  V&W  OF  OPFPATION 

AUTOPILOT  "RLACK  BOX” 

requ/pe/aen rs  caMPO ta  r/o/v 


/TEN? 

ROR/AAL 

GROWTH 

RIP 

a. 

Equipment  operating  hoops 

9000 

9000 

b. 

OPERATING  REPLACEMENTS  OR  REPAIRS,  ^°°^TQf. 

a* 

3 

c. 

OPERA  ri/VG  STOCK  LEVEL,  '/?  OP  REPLACEMENTS 
FOR  ScJ/3  S£  tp  UENT  Q OARrER 

3b 

13 

d 

EASE  IRE  FAIRS,  OF  b. 

16 

6 

e. 

PEPOT  REPAIRS,  3Sm/a  OF  b. 

8 

3 

* 

DEPOT  REPARABLE*  RETURNED  CURRENT 

quarter,  ssjb  of  e. 

Z 

9. 

OEPOT  REPARABLES  RET  ORA/ED  FRO/A 

Rrev/oos  Quarter 

O 

O 

/?. 

TOTAL  SERVICE  ABLE  ASSETS, 
d.  + f.  + <j. 

2.1 

e 

i 

Reo oirement  summary 

OPERATING  STOCK  level,  / tem  c. 
operating  Requirement  , item  b.-irs*r  h. 

3b 

3 

/3 

/ 

• 

J- 

TOTAL  NUMBER  OF  REPAIRS,  C OH  RENT  QUARK 

2\ 

a 

QQM£otATion  OF  dollar  SAViN_6S_,  First  G>o#isr£/? 


/ T£P1  NORMAL 

GROWTH 

Pip 

SAVIN  Q 

a. 

Total,  spares  requirement  3 9 

Id 

2S  pcs 

b. 

unit  cosr  $sso 

/ 3SSO 

. — 

c. 

cost  of  spares,  axb  ?/3e,Aso 

i * A 9,700 

? 6 8, 7SO 

d. 

COST  OF  UNITS  INSTALLED  IN 

AIRCRAFT  DELIVERED  77NS  Z 13,000 

quarter  (60  Aircrafts 

213,000 

none 

TOTAL  doll ag 3 SA ved  / & 8,1  SO 


436 


F/EUNE  B 


ANNUAL  S/9V/NCS 


^37 


NOTE.:  “OOO"  OMITTED 


F/GURE  3 


ANNUAL  SAYINGS 

vs 

ACHIEVED  PERCENT  OF  ESTIPIA  TED  /MPFOVEME/V T 
RATIO,  CRouND  :F!R~  g.7 


system 

ESTIMATED  IMPROVEMENT 
( PERCENT  OF) 

PROGRAM 
COST  PER 
SYSTEM 

too 

7S 

SO 

zs 

AUTOPILOT 

* 60 

f (to) 

t (no) 

f (240) 

1 6,70 

DOPPLER 

26,490 

2SJBI0 

24,540 

21,720 

9.7  !0 

CIN 

840 

610 

340 

(no) 

9 30 

PLATFORM 

420 

390 

3S0 

310 

2,160 

V- TAPES 

430 

400 

3 65" 

280 

32S 

C A PC 

3, ISO 

3,060 

2,860 

2,4*0 

SI6 

FIRE  CONTROL 

B, 930 

7 1480 

*,490 

2,080 

11,210 

Totals  , 

$40,110 

* 

'2  6,430 

ft  2S.SZO 

NOTE : 'OOO*  OMITTEP 


438 


p/gure  /o 


ANNUAL  SAjANES 

V5 

ACRfEVgP  PERCENT  OF_  ESTIMATED  IMPROVEMENT 
R4  TIP,  GROUNP .'  A/e  - / // 


system 

ES T/ MATED  IMPROVEMENT 
(PERCENT  OF) 

PROGRAM) 
COST  PER 
SYSTEM 

fOO 

75-  | 

so 

ZE 

AUTOPILOT 

t Ozo) 

* 060)* 

(e$o)  * 

(3Z0) 

* 4,7o 

DOPPLER 

19, HO 

18,860 

/ 7,990 

70,060 

9, HO 

C/N 

3Z0 

170 

no) 

(3  so) 

930 

PLATFORM 

330 

ZAO 

3/0 

Z80 

Z,l60 

V-TfiPES 

330 

320 

290 

230 

325 

CROC 

2, 390 

Z,  330 

2, ZOO 

1,920 

5/a 

F/RE  CONTROL 

4,940 

3,680 

2,490 

340 

U.ZIO 

TOTAL S 

/ 27,530 

iB.lbO 

^ as, szo 

NOTE  i "OOO"  OMITTED 


439 


* 


RELIABILITY  MONITORING  BY  OPTIONAL  STOPPING  SAMPLING 


Norman  R.  Garner 
Aerojet -General  Corporation 
Azusa,  California 


Abstract 

An  optional  stopping  sampling  procedure  is 
recommended  for  reliability  monitoring.  This 
procedure  allows  testing  to  continue  until  k de- 
fects are  observed*  At  this  time  one  of  three 
decisions  are  made.  If  the  number  of  trials  is 
too  small,  testing  is  stopped  and  an  engineering 
change  is  required.  If  the  number  of  trials  is 
too  large,  then  a new  reliability  plateau  has 
been  achieved.  If  the  number  of  runs  is  neither 
too  small  nor  too  large  a new  sequence  of  testing 
begins.  Thus,  only  a minimum  amount  of  testing 
would  be  performed  on  unreliable  systems  - a very 
desirable  characteristic  for  the  proper  monitor- 
ing of  reliability.  On  the  other  hand,  if  an  en- 
gineering design  change  was  made  which  improved 
reliability  appreciably,  the  length  of  trials 
would  become  longer  and,  so,  a more  efficient  es- 
timate of  reliability  would  be  made  for  the  im- 
proved system.  This  is  precisely  what  is  desired 
by  a monitoring  system.  The  mathematical  model 
Is  discussed,  emulative  probabilities  are  given 
so  that  control  charts  can  be  established,  and, 
finally,  an  example  is  presented. 

Reliability  Monitoring  Requirements 

Every  development  program  can  be  considered 
as  an  evolutionary  process 5 a process  which  re- 
quires a continuous  series  of  engineering  changes. 
As  these  changes  are  made,  it  is  desirable  to 
continuously  monitor  the  development  program  to 
determine  which  engineering  changes  are  beneficial 
and  which  are  detrimental.  It  is  essential, 
therefore,  that  a monitoring  procedure  be  de- 
veloped which  allows  rejection  of  an  engineering 
change  as  soon  as  possible  if  it  is  detrimental 
but  allows  testing  to  continue  if  it  is  benefi- 
cial. This  is  consistent  with  the  ideas  of 

(1)  minimum  coot  since  it  will  minimize  testing, 

(2)  eliminating  causes  of  non -improvement,  and 

(3)  obtaining  test  results  which  convey  most 
efficiently  the  current  estimate  of  reliability. 

In  essence,  at  least  a three  decision  pro- 
cess is  required.  One  decision  says  stop  testing, 
reliability  has  decreased  and  no  more  testing 
should  be  performed  until  an  engineering  change 
is  made.  A second  decision  says  that  the  en- 
gineering changes  have  increased  reliability  and, 
so,  a new  reliability  plateau  has  been  achieved. 

A third  decision  is,  of  course,  continue  testing, 
insufficient  evidence  to  determine  (l)  or  (2). 

A sampling  procedure,  commonly  called  optional 
stopping  or  inverse  sampling,  can  fulfill  all  of 
these  requirements. 

Optional  Stopping  Sampling  Procedure 

The  optional  stopping  sampling  procedure 


tabulates  the  number  of  trials  up  to  and  in- 
cluding k failures,  where  k is  a preassigned 
number  of  allowable  defects.  Thus,  as  the  suc- 
cess runs  or  number  of  trials  become  larger,  it 
would  be  assumed  that  the  reliability  has  im- 
proved; as  the  success  runs  become  smaller,  it 
would  be  assumed  that  the  reliability  has  de- 
graded. So,  it  is  possible  to  control  develop- 
mental decisions  by  observing  the  length  of  runs; 
that  is,  the  number  of  trials  required  up  to  and 
including  k failures.  For  example,  if  an  en- 
gineering change  caused  a degradation  in  relia- 
bility, or  if  wearout  were  becoming  an  important 
reliability  variable,  the  observed  lengths  of 
trials  would  decrease  significantly.  This  would 
call  for  a stopping  of  testing  until  an  engin- 
eering change  were  made.  Thus,  only  a minimum 
amount  of  testing  would  be  performed  on  unre lia- 
ble systems  - a very  desirable  characteristic  for 
the  proper  monitoring  of  reliability.  On  the 
other  hand,  if  an  engineer  iesign  was  made 
which  improved  the  reliabi-tioj  appreciably,  the 
lengths  of  trials  would  become  longer  and,  so,  a 
more  efficient  estimate  of  reliability  would  be 
made  for  the  improved  system.  This  is  precisely 
what  is  desired  by  a monitoring  system.  This 
procedure  is  in  effect  continuous  surveillance  on 
the  development  program  and  when  k defectives  are 
observed  a decision  is  to  be  made.  It  is,  of 
course,  a form  of  sequential  sampling.  That  is, 
in  contrast  to  fixed  sampling  programs,  the  sam- 
ple size,  n,  is  a random  variable. 

Mathematical  Model  for  the 
Optional  Stopping  Sampling  Procedure 

The  mathematical  model  for  this  procedure 
is  given  in  Feller  as 

P(X=n)  = (£"*)  (1-R)k  Rn-k  n=k,  k+1,  ... 

where  p(X=n)  is  the  probability  of  a run  of  n 
trials  up  to  and  including  the  kth  failure  (the 
number  of  failures  allowed  before  sampling  is 
stopped);  and  R is  the  current  reliability  of  the 
system.  This  model  is  known  as  the  Pascal  or, 
more  popularly,  the  negative  binomial  distribu- 
tion. 

Feller  also  shows  that  the  mean  or  expected 
number  of  trials  up  to  and  including  the  kth  de- 
fect is 

- A 

and  its  variance  is 


m 


c2(X) 


(1-R) 


a 


If  k is  preassigned  as  unity  then  Pascal's 
distribution  reduces  to  the  well  known  geometric 
distribution 

F(X=n)  = (l-R)  r11"1  n s 1 


with  the  expected  number  of  trials  up  to  and  in- 
cluding the  first  defect 

= CT 


and  its  variance 


ct2(X) 


R 


When  it  becomes  necessary  to  estimate  R from 
a series  of  trials  when  k has  been  assigned,  Hal- 
dane has  shown  that  an  unbiased  estimate  of  R is 

£ n-k 

R “HU 


and  Finney  has  shown  that  an  unbiased  estimate  of 
its  variance  Is 

= R(l-R) 

n-2 

Finney  recognised  that  the  standard  error  is  a 
satisfactory  estimate  of  the  error  of  estimation 
of  R only  when  k is  large  and  states  that  for 
small  k limits  of  error  can  be  computed  from  bi- 
nomial tables  by  the  following  rules; 

1*  The  lower  limit  is  one  minus  the  upper 
limit  for  a direct  binomial  sample  which 
has  k-1  failures  in  n~l  trials. 

2.  The  upper  limit  is  one  minus  the  lower 
limit  for  a direct  binomial  sample  which 
has  k failures  in  n trials. 


4 


These  limits  are  the  highest  and  lowest  values  of 
H which  Just  fail  to  be  contradicted  by  the  sam- 
ple in  a significance  test  based  upon  a chosen 
level  of  the  probability. 

Establishing  the  Control  Chart 

The  cumulative  probabilities  have  been 
summarized  for  k=0.0  and  for  reliabilities  of 
.85  (l)  .99  for  control  chart  limits  in  Table  X* 
The  median  value  is  also  given.  In  the  body  of 
the  table  are  the  allowed  number  of  tests  up  to 
and  including  the  ktfa  failure  before  a decision 
is  to  be  made.  For  example,  with  k~10  and  an 
assumed  reliability  of  .90*  if  or  less  tests 
were  observed  up  to  and  including  the  10th  fail- 
ure, testing  would  stop  and  would  not  continue 
until  an  engineering  change  were  made.  On  the 
other  hand,  if  1^4  or  more  tests  were  observed, 
it  would  be  decided  that  a new  plateau  or  a new 
reliability  had  been  obtained.  A new  estimate  of 


reliability  would  be  assumed  and  new  limits  de- 
termined* Otherwise,  a new  series  of  tests  is 
commenced.  These  limits  are  chosen  with  a % 
error  of  making  a false  change  in  the  current  re- 
liability status. 

A question  which  arises  is  the  level  of  con- 
trol required.  Conventional  control  charts  cus- 
tomarily use  the  95$  (2c)  or  99-7$  (3<0  limits. 
However,  optional  stopping  sampling  charts  are 
for  detecting  changes  of  two  independent  events 
to  provide  a basis  for  independent  decisions*  For 
example,  if  a point  goes  out  on  the  low  side  no 
revision  is  made  to  the  limits,  but  a change  is 
made  to  the  process.  In  other  words,  these  charts 
are  for  the  purpose  of  detecting  changes  in  relia- 
bility on  a product  which  is  continually  altered 
by  engineering  changes,  not  to  maintain  the  pro- 
duct in  stable  control  or  its  normal  pattern  of 
variation.  This  is  perhaps  the  difference  between 
control  charts  for  developmental  work  contrasted 
with  mass  production.  Therefore,  it  is  recommen- 
ded that  the  90jt  control  limits  be  used*  That  is, 
% for  each  side,  or  each  decision. 

When  it  is  decided  that  a new  plateau  has 
been  achieved,  a problem  arises  in  determining  the 
new  re liability ; however,  it  is  suggested  that 
only  points  on  the  upturn  be  used  to  determine 
this  value  for  control  limits*  This  value,  of 
course,  could  be  adjusted  as  evidence  is  accumu- 
lated. These  charts  should  be  studied  just  as 
regular  control  charts.  For  example,  they  should 
be  watched  for  significant  gaps,  trends,  or  runs 
above  or  below  the  median  value.  A skilled  sta- 
tistician should  he  available  for  consultation. 


The  choice  of  k is  more  or  less  arbitrary. 

One  should  choose  k according  to  a desirable 
operating  characteristic  curve,  financial  avail- 
ability, or  both.  If  the  reliability  is  assumed 
to  be  rather  low  perhaps  values  of  k=4  to  10  could 
be  used.  However,  as  the  reliabilities  get  higher 
and  higher,  the  only  choice  is  to  let  k=l  or  2. 

Example 


A control  chart  for  the  762  consecutive  de- 
velopment tests  on  an  Auxiliary  Power  Supply  is 
shown  on  Figure  1 for  k=O-0.  The  results  are  also 
presented  in  Table  II*  The  initial  reliability 
was  assumed  to  be  .85  and  so,  from  Table  I the 
lower  control  limit  is  38  tests,  the  median  number 
of  tests  Is  64,  and  the  upper  control  limit  is 
102  tests.  On  the  fifth  sequence  of  10  failures, 
a run  of  134  tests  was  observed  which  is  out  of 
control  for  a reliability  of  .85*  It  is  therefore 
decided  that  a new  reliability  is  to  be  assumed 
and  revised  control  limits  determined.  Since 
there  is  only  one  point  on  the  upturn  the  new  es- 
timate of  reliability  is 


n-l  124 

n-1  " 133  “ 


• 932«  .93 


Therefore,  *93  is  the  assumed  current  reliability 
end  the  limits  are  revised  accordingly.  Obviously 
these  control  limits  do  not  take  into  considera- 


442 


tion  the  sampling  variation  of  the  new  estimate 
of  reliability.  This,  however,  is  of  minor  im- 
portance. 

The  procedure  recommended  for  the  best  esti- 
mate of  current  reliability  is  by  grand  lotting 
all  data  applicable  to  the  current  control  chart 
and  using  the  ordinary  binomial  reliability. 

Thus,  the  best  estimate  of  current  reliability  is 

129  + 93  + 109)  - 36  b29 

+ 129  + 93  +109)  “,923  • 

References 


(13*  + 


1.  Feller,  William,  An  Introduction  to  Proba- 
bility Theory  and  Its  Application,  John 
Wiley  and  Sons,  New  york,  1 95* 

2.  Finney,  D.  J.,  "On  a Method  of  Estimating 
Frequencies",  Biometrika,  36  (19*9),  pp 
233-23* 

3.  Haldane,  J*  B.  S.,  "On  a Method  of  Esti- 
mating Frequencies",  Biometrika,  33  {19*3- 
19*6),  pp  222-224 


Observed  Number  of  Tests  up  to  and  Including  10th  Defect 


FIGURE  1 


OPTIONAL  STOPPING  SAMPLING  CONTROL  CHART 
FOR  THE  APS  DEVELOPMENTAL  PROGRAM 

(k  = 10,  PROBABILITY  OF  FALSE  CHANGE,  %) 


444 


TABLE  I 


NUMBER  OF  TESTS  AND  ASSOCIATED  CUMULATIVE  PROBABILITIES 
FOR  k = 10  AND  SPECIFIED  RELIABILITIES 


Cumulative  Probabilities 


.005 

.01 

.025 

.05 

.5 

*95 

*975 

•99 

85 

28 

30 

34 

38 

64 

101 

110 

121 

86 

29 

33 

36 

4l 

69 

109 

118 

130 

87 

31 

34 

39 

44 

74 

117 

127 

l4o 

_ 88 

34 

37 

42 

47 

80 

128 

139 

152 

-89 

37 

4o 

46 

51 

88 

139 

151 

166 

>> 

£ 90 

4o 

44 

50 

56 

96 

154 

I67 

183 

1 91 

44 

49 

55 

62 

107 

171 

186 

204 

H 92 

49 

55 

62 

70 

121 

193 

210 

230 

M 93 

56 

62 

71 

79 

138 

221 

240 

264 

1 94 

65 

72 

82 

92 

l6l 

258 

281 

309 

3 95 

77 

86 

98 

110 

193 

311 

338 

371 

! 96 

96 

106 

122 

137 

24l 

389 

423 

465 

PH 

97 

226 

l4i 

162 

183 

322 

520 

565 

622 

98 

189 

209 

242 

273 

483 

782 

850 

935 

99 

374 

4i6 

482 

544 

967 

1567 

1704 

1873 

44-5 


*995 

128 

137 

l48 

161 

l?6 

195 

217 

244 

280 

328 

394 

494 

661 

994 

1994 


TABLE  II 


RESULTS  OF  762  DEVELOPMENT  TESTS 
FOR  AN  AUXILIARY  POWER  SUPPLY  SYSTEM 
k = 10 


Group  Number  of  Tests  Number  of  Failures 


1 

4l 

10 

2 

100 

10 

3 

87 

10 

4 

6s 

10 

5 

134 

10 

6 

129 

10 

7 

93 

10 

8 

109 

6 

446 


STATISTICAL  CIRCUIT  ANALYSIS  IN  PRACTICE 


F.  A*  Applegate  - N.  A.  Sclanna 
Light  Military  Electronics  Department 
General  Electric  Company 
Utica,  New  York 


Abstract 


In  recent  years  several  methods  of  re- 
lating component  part  behavior  to  circuit 
behavior  have  been  described;  however, 
the  author  knows  of  no  papers  relating 
the  so-called  statistical  circuit  analysis 
to  a component -part  test  program. 

Assuming  a correct  model,  circuit  syn- 
thesis is  only  as  good  as  the  component 
part  data  used.  Because  of  this  depend- 
ence upon  accurate  component  part  data, 
considerable  effort  must  be  expended  in 
designing  an  accurate  and  efficient 
component -part  testing  program.  The  re- 
sults of  this  test  program  must  lend  them- 
selves to  any  analysis  model  selected. 

This  paper,  then,  describes  a program 
for  the  collection  and  use  of  component - 
part  test  data  for  reliability  in  general 
and  for  statistical  circuit  analysis  in 
particular . 


Introduction 


One  of  the  long-standing  problems  in 
reliability  has  been  the  selection  of  the 
component  part  of  highest  reliability  for 
a given  application.  The  solution  of  this 
problem  has  followed  a somewhat  lengthy 
evolution-  From  the  early  simple  quali- 
fication tests  we  have  progressed  to  a 
stage  where  we  now  test  for  the  specific 
reliability  of  each  part  and  vendor  with 
the  most  reliable  one  selected  for  the 
application. 

Needless  to  say,  all  of  these  methods 
for  selecting  parts  and  vendors  are  ex- 
tremely expensive-  Besides  the  expense, 

It  is  necessary  to  keep  large  samples  on 
test  for  long  periods  of  time  to  demon- 
strate high  reliabilities. 

The  part  and  circuit  standardization 
of  digital  equipment  persuaded  many  com- 
panies to  test  a few  parts  and  circuits 
intensively.  These  same  companies  soon 
realized,  however,  that  It  was  extremely 
wasteful  to  test  just  for  the  sake  of  re- 
liability numbers,  and  they  began  to 
measure  some  of  the  more  important  part 
parameters.  Unfortunately,  most  companies, 
vendor  and  user  alike,  continue  to  test 
at  maximum  operating  conditions  only . 

Some --in  hopes  of  achieving  an  accelerated 
test- -operate  the  part  in  excess  of  rat- 
ing. In  any  event,  component -part  para- 
meter data  In  distribution  form  have  now 
became  available . 

With  this  data  in  existence  for 


various  temperature,  electrical,  and  en- 
vironmental conditions,  it  was  natural  to 
start  designing  circuits  which  would  oper- 
ate at  the  worst  case  combinations. 

Several  objections  were  found  to  this 
"worst  case"  design.  In  some  cases,  a 
worst  case  design  could  not  be  found.  In 
others  worst  case  design  was  found  to  be 
unduly  pessimistic.  Some  worst  case  com- 
binations just  could  not  exist*  and 
even  the  very  definition  of  what  con- 
stituted a worst  case  value  was  ques- 
tionable . 

Most  of  the  difficulties  can  be  over- 
come, however,  and  useful  worst  case  cir- 
cuits can  be  designed.  These  designs  can 
be  Improved  by  considering  the  statistical 
implications  of  the  worst  case  limits.  In 
other  words,  the  approach  to  design  is 
changed  to  tolerate  specific  areas  of  part 
parameter  distributions. 

With  a statistical  circuit  analysis, 
it  is  readily  apparent  if  a design  requires 
improvement.  In  fact  If  the  analysis  is 
made  properly,  it  can  even  reveal  the 
specific  part  parameters  that  need  to  be 
improved , 


General  Flan 


Because  the  general  reliability  pro- 
gram which  follows  is  dependent  upon  the 
degree  of  part  and  circuit  standardization 
realized,  the  first  reliability  objective 
is  to  meet  the  required  standardization. 
Experience  has  shown  that  this  must  be 
accomplished  In  the  proposal  phase  if 
standardisation  is  to  become  a reality. 

Today's  digital  equipment  permits  ex- 
tensive use  of  standard  parts  and  cir- 
cuits, but  what  of  those  equipments  which 
will  not  permit  such  standardization?  The 
same  general  reliability  program  can  be 
applied,  but  It  will  be  extremely  expen- 
sive If  followed  to  the  extent  described 
here . The  approach  described  Is  for 
digital  equipment;  for  other  designs  the 
program  will  usually  have  to  be  far  less 
extensive , 

Initial  circuit  design  can  be  accom- 
plished by  using  worst  case  values  which  are 
either  calculated  from  prior  data  or 
obtained  from  vendor  data.  This  Is  done 
to  achieve  a working  design  as  early  as 
possible  so  that  other  design  work  may 
proceed , In  actuality,  many  of  the  cir- 
cuit designs  based  upon  the  design  pro- 
cedures described  here  will  already  exist 
from  prior  development. 


Following  the  initial  design  a de- 
tailed circuit  analysis  is  started  on  all 
new  circuit  designs . This  analysis  is 
begun  at  the  same  time  as  the  parts  test- 
ing program.  The  purpose  of  the  circuit 
analysis  is  to  derive  an  expression  in 
terms  of  measurable  part  parameters  for 
each  circuit  parameter.  The  fact  that 
measurable  part  parameters  must  be  used 
in  the  derived  expression  eliminates  many 
possible  expressions.  This  is  the  major 
problem  in  finding  ac-circuit  expressions 

Considerable  effort  must  be  expended 
to  make  the  part-testing  program  efficient, 
for  this  activity  is  the  most  expensive 
; portion  of  a reliability  program.  The 
circuit  synthesis  which  follows  the  part- 
test  program  is  only  as  accurate  as  the 
component-part  data  used.  Ac curacy * there- 
fore,, is  a continual  concern  in  part 
testing.  The  results  of  the  test  program 
must  be  put  into  a form  so  that  any  cir- 
cuit synthesis  method  may  be  used.  The 
data  must  also  permit  determination  of 
worst  case  values.  Simultaneously  with 
the  generation  of  part  parameter  data* 
vendors  are  ranked  for  quality,  and  actioj 
is  initiated  to  correct  for  any  component 
part  deficiencies. 

Following  the  generation  of  component 
part  parameter  distributions,  this  data 
is  combined  with  the  circuit  parameter 
expression  derived  from  the  circuit  anal- 
ysis . Several  methods  exist  for  this 
procedure,  the  most  common  of  which  is 
the  1?Monte-Carlon  or  random -samp ling 
technique . The  result  of  any  of  these 
procedures  is  a distribution  of  the  cir- 
cuit parameter  according  to  the  individ- 
ual component -part  parameter  variations. 

Using  the  circuit  parameter  distri- 
bution along  with  some  criteria  of  satis- 
factory circuit  parameter  performance,  it 
is  possible  to  determine  which  designs 
are  satisfactory  and  which  are  not.  De- 
sign improvements  can  then  be  initiated 
where  the  need  exists. 


Part  Test  Program 

Although  the  part  test  program  func- 
tions as  a tool  for  vendor  selection  as 
well  as  the  source  of  part  parameter  de- 
sign data,  this  discussion  will  be  limited 
to  the  testing  program  for  a single  ven- 
dor. Other  vendors  require  essentially 
a duplication  of  the  described  effort. 

Before  subjecting  a part  to  an  ex- 
tensive test  program,  it  is  first  ascer- 
tained that  the  part  does  exhibit  the 
electrical  characteristics  desired.  This 
is  determined  through  a series  of  meas- 
urements on  separate  samples  from  those 
later  subjected  to  reliability  testing. 

Sample  sizes  are  determined  to  pro- 


vide statistically  valid  results  from  all 
testing.  To  minimize  sample  sizes  prior 
information  including  vendor  data  is  used 
whenever  it  is  available . No  fixed  sam- 
ple size  is  correct  for  all  tests,  but 
the  size  usually  varies  between  25  and  300 
with  50  being  the  most  common.  It  is  sig- 
nificant that  failure  rates  are  not  a 
product  of  this  testing,  but  detailed 
parameter  data.  This  accounts  for  the 
relatively  small  sample  sizes  . 

The  part  test  program  is  designed  to 
investigate  many  different  considerations, 
from  environmental  to  electrical . No 
test  program  can  be  the  final  answer  in 
test  techniques.  The  procedures  are  con- 
tinually being  improved  upon  as  new 
methods  are  found  to  conduct  more  accurate 
tests,  more  economically.  The  only  fixed, 
requirement  is  to  obtain  data  describing 
the  variation  of  the  part  parameter  under 
environmental  and  electrical  conditions, 
and  over  the  intended  operational  life . 

Usually  a vendor’s  samples  are  divided 
into  at  least  three  groups . One  sample 
is  subjected  sequentially  to  each  of  the 
environmental  conditions  to  be  encountered 
in  operation.  The  order  of  sequencing  is 
normally  selected  at  random  except  where 
several  vendors  are  being  compared,  in 
which  case  identical  order  is  followed . 

The  second  sample  is  placed  directly  on 
an  operating  life  test . The  third  sam- 
ple is  subjected  to  an  environmental  ex- 
posure which  is  suspected  of  being  de- 
trimental to  the  part . This  sample  is 
then  placed  on  an  operating  life  test 
identical  to  the  second  sample . 

The  life  tests  can  be  either  a steady 
state  test,  an  on-off  cycled  test,  a 
temperature -cycled  test  or  both.  The 
type  depends  upon  the  intended  operational 
use  of  the  equipment.  The  fact  that  life 
tests  are  conducted  under  actual  elec- 
trical conditions  expected  in  operation 
is  a significant  departure  from  most  part 
testing  and  is  desirable  for  two  reasons: 
(l)  Semiconductors  can  be  less  stable  at 
low  levels  of  operation  than  they  are  at 
rated  conditions  (2)  We  are  looking  for 
accurate  answers  In  the  circuit  synthesis 
described  in  this  paper,  and  therefore, 
we  want  to  minimize  errors  introduced  In- 
to the  calculations.  The  life  test  Is 
conducted  (if  non-cycled)  at  the  maximum 
expected  operating  temperature,  but  meas- 
urements are  taken  at  room  temperature 
and  low  temperature  as  well . 

In  addition  to  the  testing  described, 
data  is  gathered  so  as  to  construct  fami- 
lies of  curves  wherever  vendor  data  does 
not  furnish  adequate  results  . These 
families  of  curves  include  electrical  and 
temperature  variations . 

By  data  reduction  we  attempt  to  pro- 
vide maximum  information  in  s implest 
form.  The  data  is  directed  at  two  groups 
of  people.  Curves  with  brief 


tables  of  worst  case  values  are  con- 
structed for  design  engineers.  Additional 
tables  providing  the  statistics 
used  in  reliability  circuit  analysis  are 
constructed  for  reliability  engineers. 

An  example  of  curves  prepared  for  de- 
signers is  the  transistor  curves  in  Figure 
1.  Figure  2 is  a specific  transistor 
parameter  showing  the  mean  and  a measure 
of  dispersion.  Figure  3 presents  the  re- 
sults of  a typical  life  test  with  the  25° C 
measurements . 

Figure  4 is  another  plot  of  the  same 
data  shown  in  Figure  3-  But  this  time  it 
is  intended  for  reliability  engineers . 
Another  version  of  this  plot.,  which  is 
used  for  quick  communication  of  sample 
distribution  changes*  uses  the  sample 
item  number  to  check  individual  items . 

Table  1 presents  the  sample  statistics 
recorded  from  a typical  test.  These 
tables  which  are  retained  by  Reliability 
Engineering  are  intended  to  provide  the 
statistics  which  might  be  required  by  any 
group . Definitions  are  shown  in  Appendix 
A.  A similar  table  represents  percent 
changes . 

Each  table  and  graph  records  specific 
vendor  and  part  type  except  for  those 
cases  where  collective  data  represent  a 
part  type  made  by  several  vendors . Besides 
the  tables  and  graphs  retained  by  relia- 
bility,, the  raw  data  is  kept  until  the 
part  type  is  obsolete. 

Another  table  provided  designers  for 
use  with  a specific  design  is  a table  of 
worst  case  limits.  These  limits  are 
specific  for  each  design  because  of  vary- 
ing temperature*  life*  and  environmental 
requirements . Table  2 is  a brief  example 
of  such  a table . 

In  addition  to  the  data  reduction 
already  described * various  analysis  tech- 
niques are  used  in  forming  inferences 
about  the  populations . Regression  anal- 
ysis is  performed  wherever  called  for., 
and  often  special  correlation  studies  are 
made  for  use  in  the  statistical  circuit 
analysis  described  below.  Various  tests 
of  hypotheses  are  made  in  selecting  ven- 
dors, evaluating  part  improvement * and  so 
on.  Generally*  besides  being  scrutinized 
for  the  specific  purpose  of  the  test*  the 
data  is  carefully  analyzed  for  whatever 
other  information  it  might  yield. 

Statistical  Circuit  Analysis 


The  first  step  in  performing  a sta- 
tistical circuit  analysis  or  a worst  case 
analysis*  is  to  find  an  expression  for 
each  circuit  characteristic  in  terms  of 
measurable  part  parameters.  A criterion 
must  also  be  established  for  the  unsatis- 
factory performance  of  each  circuit  char- 
acteristic . 

As  an  example  of  the  derivation  of 
circuit  equations  used  in  worst  case  and 


in  statistical  circuit  analysis*  the  dc 
equations  for  what  has  been  called  a 
,f standard”  Nor  circuit  will  be  derived. 
This  circuit  Is  shown  in  Figure  5.  Such 
derivations  must  be  accomplished  for  each 
circuit  parameter  of  every  circuit  used . 

Examination  of  the  Logic  Nor  shown  in 
Figure  5 reveals  two  modes  of  failure . 
These  modes  can  be  expressed  as  circuit 
parameters*  and  their  equations  can  be 
derived. 

Failure  Modes 


The  first  mode  of  failure  is  the  cir- 
cuit’s Inability  to  deliver  the  specified 
amount  of  load  current.  This  Nor  was  de- 
signed to  deliver  four  units  of  such 
current.  Degree  of  overdrive  (DOD)*which 
is  used  as  a figure  of  merit*  Is  set  equal 
to  the  product  of  the  transistor  current 
gain  and  the  base  current  of  the  transis- 
tor* divided  by  the  maximum  required  out- 
put current  (four  units  of  load  current). 
This  is  expressed  as: 


DOD 


hFEJB 


where:  h^E  is  the  transistor  current  gain 
Ig  is  the  transistor  base  current 
1^  is  one  unit  of  load  current 

Failure  occurs  when  DOD  is  less  than  one. 

The  second  mode'  of  failure  in  this 
Logic  Nor  is  for  the  circuit  to  be  con- 
ducting when  cutoff  is  desired.  The  Nor 
transistors  must  not  conduct  when  one  of 
the  Input  diodes  is  forward  biased  and 
returned  to  ground  through  a saturated 
transistor.  Failure  occurs  when  the  base 
to  emitter  voltage  of  the  transistor  (Vgg) 
reaches  a critical  value  that  permits 
conduction. 

For  definition  of  symbols  used  in  the 
following  derivations  see  Appendix  B. 

Derivation  of  Transistor  Base  Current  (in) 


Referring  to  Figure  6a*  assume  that 
Q1  is  conducting.  Let  Iq  represent  the 
total  leakage  at  the  input  of  the  circuit . 


(i)  ii  - i2  + i± 


<2>  ^ - i3  + iB 
(3)  E-^  + E2  = I^R-l  + 


(4)  I3 


Ep  + Vg 
^3 


i2r2  + I3R3 


where  Vg  is  the  transistor  base  to  emitter 
voltage  at  saturation.  For  Iq  in  equation 
(3)*  substitute  equation  (l). 


(5)  Ex  + E2  = I±Ri  + I2(Ri+R2)  + x3r3 


For  I2  in  equation  (5),.  substitute  equa- 
tion ^2)  . 

(6)  E1  + E2  = + I3(R1+R2+R3) 

+ ib(r1+r2) 

For  I3  in  equation  (6),  substitute  equa- 
tion (4) . 


Derivation  of  Degree  of  Overdrive  (POD) 
By  definition: 


(1)  D0D  = hPEZB 


(7)  Ex  + E2  = liRi 


+ ( Ep+VR ) { R-j  +Rp+R^  ] 


+ IB(Ri+R2) 

After  simplifying  and  solving  for  IB 


(8)  IB  = 


En 


Eg  IjRj  _ VB(R1+RP+R^) 


R3  R^+Rg  R^ (R1+R2) 


Derivation  of  One  Unit  of  Load  Current  (l l) 

In  Figure  6B  one  unit  of  load  is  the 
current  load  one  Nor  circuit  represents. 
This  diagram  must  be  thought  of  as  a load 
circuit  with  Q2  being  the  transistor  of 
the  original  Nor  circuit  being  analysed, 

(1)  Bq  + E2  - R^Ii  + R2^"2  + ^3X3  * 

(2)  J1  * XL  + I2 

(3)  l!  - Jl-- 

R1 

(4)  I3  = la  + ICEi 

For  I 2 and  in  equation  (l)  substitute 
equations  (37  and  (4)  respectively. 

(5)  + Eg  = Ej  _ (VC+VB)  + (Rg+R3)l2 

+ R3ICER 

E2  + YC  + VD  ~ Vcer 


(6)  I; 


r2  + R3 


(7)  IL  = - L 


(8)  It 


E1  - (VC+Vd)  Ep+V’  +J^-^CER 


Ri 


(9)  l = h _ _Jk-  _ tVC+VP>K+R2+R3> 

L R{  r2+R3  r-^(r2+r3) 

+ r3tcer 

R2+H3 


4it 


Ib  and  Ij,  were  derived  above , After  pro- 
per arrangement  of  primes  in  the  equation 
for  1^,  these  two  equations  are  substi- 
tuted into  (1)  for  IB  and  respectively, 
The  result  after  simplification  is  the 
following  expression  for  DOD. 

(2)  DOD  * ~ 

where,  A = hFERl ( R2+R3 ) [e^R3-E2(R^+R2) 

- vb(h1+r2+r3)  - r1r3i1] 

and,  B = 4R3 ( R^Bg ) jEx ( Rg+Rp  - EgH{ 

- (Vq+Vjj ) (r-l+r2+r3  )+Eir3IcerJ 

Derivation  of  Transistor  Base 
Voltage'  at  Cutoff  fy-R^T 

Refer  again  to  Figure  6B.  This  time 
it  is  the  circuit  instead  of  the  load 
which  is  of  interest  in  the  derivation. 

(1)  E1  + E2  = R1I1  + Rglg  + r3I3 

(2)  I3  = I2  + ICER 

(3)  X2  = I1  + TCER 


C4)  ^ - (vpvD) 


En  ~ (V„  +V_) 


(5)  % ■-L«1 

(6)  vBR  = r3i3  - e2 

For  I2  and  in  equation  (l)  substitute 
(3)  and  {5)  respectively. 

(7)  Ea  + Eg  = Ej  - Vq  - VD  + (R2+R3)I3 

(8)  I- 


" R2ICER 

E + V " + V + R1 
2 C D 2 CER 


r2  + r3 


For  in  equation  (6)  substitute  equation 

(s).-5 


(9)  V 


-(Eg)  + (E2+Vc+Vd+R2Icer)R3 


BR 


r2  + r3 


*Note:  Single  primes  are  used  to  dis- 
tinguish parameters  appearing  in  the 
load  from  their  counterparts  in  the 
circuit  being  analyzed. 


*Note:  Double  primes  are  used  to  distin- 
guish parameters  appearing  in  the  source 
from  their  counterparts  In  the  circuit 
being  analyzed. 


(10)  VBR  = 


H3(vc+VD+RgICER) 


e2r2 


r2  + r3 


Before  the  derived  circuit  expressions  are 
accepted  as  satisfactory,  they  should  be 
checked  by  laboratory  measurement  of  parts 
and  circuits . It  is  usually  a simple 
matter  to  insure  no  gross  errors , and 
quite  often  approximations  are  sufficient. 

The  first  step  in  reliability  circuit 
analysis  is  to  perform  a worst  case  anal- 
ysis. In  this  analysis  worst  case  limits, 
as  derived  in  the  part  testing  programs 
are  entered  into  the  circuit  expression, 
and  a determination  of  circuit  acceptabil- 
ity is  made . If  the  circuit  works  under 
worst  case  conditions  * the  analysis  is 
complete.  If  the  circuit  does  not  work 
under  worst  case  conditions,  then  further 
analysis  is  required  to  determine  the  prob- 
ability of  failure.  Table  3 presents  the 
results  of  a typical  worst  case  analysis 
on  the  circuit  described  above  . It  can  be 
seen  that  both  circuit  parameters  fail 
under  worst  case  conditions , 

It  can  also  be  seen  readily  that  the 
worst  case  conditions  cannot  arise  to- 
gether. For  example  low  fi  (hpE)  occurs  at 
low  temperature  while  high  Ico  and  1± 
occur  at  high  temperature.  Such  inconsis- 
tencies can" sometimes  be  resolved  by  per- 
forming  the  analysis  once  at  high  temper- 
ature and  once  at  low  temperature.  If  this 
correction  shows  that  the  circuit  charac 
terlstic  is  satisfactory,  the  analysis 
can  stop.  Otherwise,  it  continues  as  a 
statistical  circuit  analysis. 

There  are  two  principal  methods  of 
statistical  circuit  analysis . The  first, 
and  most  widely  used  Is  the  Monte  Carlo  or 
random  sampling  technique.2  This  tech- 
nique randomly  samples  from  the  distribu- 
tion of  each  part  parameter  and  solves 
the  circuit  parameter  expression.  Many 
solutions  of  this  expression  provide  a 
distribution  of  the  circuit  characteristic 
considered.  From  this  distribution,  sta- 
tistics describing  the  population  can  be 
calculated  and  used  to  determine  probabil- 
ities of  failure.  This  is  quite  a simple 
procedure  and  is  relatively  quick  on  high 
speed  computing  devices , 

The  other  principal  method  of  statis- 
tical circuit  analysis  is  the  method-of- 
moments  or  the  propagation- of -errors  tech- 
nique . Essentially,  this  technique  sub- 
stitutes a Taylor  expansion  for  the  char- 
acteristic expression-  The  theory  of 
propagation  of  errors  permits  a combina- 
tion of  component  parameter  moments  to 
form  corresponding  circuit  characteristic 
moments . This  extremely  flexible  tech- 
nique allows  for  a simple  solution  of 
correlated  and  non -normal  part  parameters 
as  well  as  the  less  complex  problems .1  It 
has  been  shown  that  the  two  methods  provide 
approximately  equal  answers  . Reference 


1 neglects  the  fact  that  the  method  of 
moments  can  be  made  even  more  accurate  by 
considering  correlations  and,  if  necessarj 
,a  second  order  expansion. 

Using  the  method  of  moments,  which  is 
well  described  in  references  4 and  5j  the 
following  probability  of  failure  from  com- 
ponent part  variation  was  found  for  the 
circuit  example  used  above: 

POD  VBR  TOTAL 

Standard  Hor  -000153  .001395  .001548 

Either  of  these  techniques  may  be  per- 
formed separately  at  high  or  low  tempera- 
ture, at  Initial  conditions,  or  end-of- 
life.  The  usual  technique  is  to  synthe- 
size one  distribution  for  all  conditions. 
Although  the  example  deals  with  transis- 
torized digital  circuitry  the  technique 
Is  applicable  to  tube  and  analog  cir- 
cuitry. Several  of  the  references  deal 
with  such  examples . 

Conclusions 


This  program  of  part  testing  coupled 
with  statistical  circuit  analysis  has  been 
extremely  successful  at  LMED.  Using  these 
techniques  along  with  other  elements  of  a 
strong  reliability  program,  average  com- 
ponent part  failure  rates  of  .008  x 10-6 
per  hour  have  been  achieved.  This  accom- 
plishment has  been  achieved  with  standard 
production  components  without  benefit  of 
special  processing  or  1fburn-inTI  , 

With  the  program  In  use  on  several 
R&D  projects,  the  procedures  are  con- 
tinually being  improved.  For  example, 
studies  are  now  underway  to  reduce  the 
number  of  samples  tested . It  is  hoped 
that  one  sample  can  be  sequentially  sub- 
jected to  all  test  conditions,  providing 
greater  accuracy  at  lower  cost. 

Use  of  reliability  programs  like  this 
one  actually  permit  improvements  In  de- 
sign reliability,  permit  the  selection  of 
"most11  reliable  designs  and  the  detection 
of  designs  needing  improvement.  This  is 
a big  step  toward  more  reliable  equip- 
ment . 


451 


References 


1.  Nussbaum,  E.,  Irland,  E.  A. , Young, 

C.  E.,  "Statistical  Analysis  of  Logic 
Circuit  Performance  in  Digital  Sys- 
tems", Proceedings  of  the  IRE,  Vol . 

49  #1,  January  1961 

2.  Hellerman,  L.,  Racite,  M.P.,  "Re- 
liability  Techniques  for  Electronic 
Circuit  Design",  IRE  Transactions  on 
Reliability  and  Quality  Control, 
#RQC-l4,  September  1953 

3.  Marini,  J. , Williams,  R.  T.,  "The 

Evaluation  and  Prediction  of  Circuit 
Performance  by  Statistical  Techniques", 
Proceedings  of  Joint  Military- Industry 
Symposium  on  Guided  Missile  Reliability 
1957  

4.  Hindricks,  R.  H . , "A  Statistical  Method 
for  Analyzing  the  Performance  Varia- 
tion of  Electronic.  Circuits" , Convair 
Report  No.  ZX-7-009,  3 October  1953 

5*  Hindricks,  R.  H.,  "A  Second  Statis- 
tical Method  for  Analyzing  the  Per- 
formance Variation  of  Electronic  Cir- 
cuits", Convair  Report  No.  AZ-7-010, 

15  February  1956  — - 


452 


. 453  _ 


TABLE  2 


WORST  CASE  DESIGN  LIMITS 
XYZ  Program 


Vendor  A 
Vendor  B 
Vendor  C 
Vendor  D 
Vendor  E 


Vendor  E 


1/8  watt  resistor 
1/8  watt  resistor 
1 watt  resistor 
1000  nfifd . 10$  capacitor 
Signal  Diode 


Signal  Transistor 


Dwg.  No, 
Dwg . No . 
Dwg . No . 
Dwg . No . 
Dwg.  No. 


Dwg.  No. 


Resistance  +1.75$,  -2.25$ 
Resistance  +1.55$,  -2.30$ 
Resistance  +16.58$,  -21.20$ 
Capacitance  +12.20$,  -11 .60$ 

Vp  at  50.  ma  1.502'v,  ,558v 
Ir  at  -lOv  3*811  p,a 
C0  at  VR  = 0 13-61  mifd. 

Icbo  ^cdo  ~ 30v  10]ia 

= lv  1 

- 30  maj  110-  so 

- 30  mal  , . 

. 3 ma  J ^ -450v 


PE  afc  VCE 
& Iq 
VcE(sat)  Ic 
& IB 


TABLE  3 
STANDARD  NOR 


Circuit  Limits 

Circuit  Parameter  Minimum  Maximum 


Part  Conditions  for 
Minimum  Maximum 


VBR 


DOD 


-1.92V- 


.178 


E2 

14  ,4V 

9.6v 

VC 

.025v 

.455v 

vD 

.462v 

• 985v 

r2 

3 -889K 

3 -742K 

r3 

19.15K 

19-  9K 

ico 

0 

.210  n 

Ei 

9 .6v 

10 .8v 

e2 

10 ,8v 

9 .6v 

vc 

■ 15v 

1.592 

^D 

.462 

-985v 

Ii 

.853  ma 

0 

ico 

.210  ma 

0 

VBF 

, -75v 
l4 

• 59v 
140 

R1 

3 -889K 

3-742K 

R2 

3 .889K 

3-742K 

r3 

RV 

19.15K 

19. 9K 

3 -742K 

3.889K 

3 .889K 

3-742K 

R§ 

19. 9K 

19.15K 

45A 


APPENDIX  A 


APPENDIX  B 


EXPLANATION  OF  STATISTICS 


LIST  OF  SYMBOLS  AND  DEFINITIONS 


Symbol  Definition 


Symbol  Definition 


N 

X 


S 

Range 


Min 

Max 


Number  of  samples  used  for  the 
test . 

The  mean  value,  calculated  from: 
n 

y nr  xi 

x i = 1 

N 

Variance,  calculated  from: 

n 2 

p H xi2  - Nx 

S2  = i-1 

N - 1 

Standard  deviation,  equal  to  the 
square  root  of  the  variance . 

The  span  of  the  data,  calculated 
from: 

Range  = x max  - x min 
The  minimum  value  recorded. 

The  maximum  value  recorded . 


V 


o<3 


H3 


\A 


The  coefficient  of  variation,  in 
percent,  calculated  from: 

V = 1QQS 

Standard  error,  calculated  from: 


Momental  skewness,  calculated 
from: 

o<3  = m3/s3 

A measure  of  skewness,  calculated 
from : 

fil  ~ 1x3  /|j.23 


Kurtosis,  calculated  from: 

ft  2 ~ M-V [i22 

Third  moment  about  the  mean, 
calculated  from:  ^ 

U3  = S (X1  - *> 

s 

Fourth  moment  about  the  mean 
calculated  from: 

n ^ 

ZT  (xi  - x) 

= 1=1 

N 


Hpg  or  ft  DC  current  gain  of  a transistor 


VCE 


Collector  to  emitter  voltage  drop 
of  a transistor  at  saturation 


VBE 


Base  to  emitter  voltage  drop  of  a 
transistor  at  saturation 


ICER 


Leakage  current  of  the  transistor 
with  both  junctions  (CB  & BE) 
back  biased 


Ii 


VD 

VBR 

DOD 


% 


Total  input  leakage  of  a nor  cir- 
cuit at  saturation.  Usually  the 
sum  of  transistor  leakage  and 
diode  reverse  currents . The  num- 
ber of  each  is  established  by 
logic  rules . 

Forward  voltage  drop  of  a diode 


Base  to  emitter  voltage  of  the 
transistor  established  by  the 
circuit  when  cutoff  is  desired. 


Figure  of  merit  of  the  circuits 
drive  capability  defined  as 


DOD 


HfeIb 

II 


Base  current  of  a transistor  when 
saturation  is  desired. 


Unit  load  current  - a current 
drain  that  a nor  circuit  repre- 
sents to  its  source. 


I q Collector  current  of  transistor 

at  saturation.  Ic  ■ N 1^  where 
N is  the  nuniber  of  units  of  load 
a circuit  is  designed  to  deliver 


9 


455 


b51 


2N697  TRANSISTOR 
LIFE  TEST,  GROUP  IA,  lBL  ® /25°C 

N=  50 


458 


IN  U AMPS 


^9 


46o 


46i 


=1 


/WWWH 1 1 1 — 


ro 

(Z 


itf1 


462 


SEVENTH  MILITARY- INDUSTRY  MISSILE  AND  SPACE  RELIABILITY  SYMPOSIUM 

18-21  JUNE  1962 


NAME 

activity/industry 

AAKHUS,  Robert  C. 

Minneapolis  Honeywell 
Ordnance  Division 
600  2nd  St,  No. 
Hopkins,  Minnesota 

AALSETH,  Jack  EL  don 

United  Testing  Laboratories 
150  Wolfe  Road 
Sunnyvale,  California 

AAEON,  James  Phillip,  Jr. 

Hercules  Powder  Company 
P,  0.  Box  210 
Cumberland,  Maryland 

ABERNETHY,  Robert  B. 

Pratt  Sb  Vfhitney  Aircraft 

P.  0.  Box  2691 

West  Palm  Beach,  Florida 

ADAMOWICZ,  Charles  M. 

Lockheed  Missiles  & Space  Company 
510  Middlefield  Road 
Mt . View,  Cal i f or ni a 

ADAMS,  William  R. 

BUWEFSFLTREA  DREF  PAC 
MAS  Worth  Island 
San  Diego,  California 

ALBRIGHT,  Donald  J. 

U.  S.  Air  Force 
ATC  Project  Office 
AF  Unit  Post  Office 
Los  Angeles  4^,  California 

ALLEN,  Ethan  0. 

Bell  Aero systems  Company 
P*  0 * Box  1 
Buffalo  5,  New  York 

ALTHAUS,  Edward  J . 

Hughes  Aircraft  Co. 

Florence  Avenue  & Teale  Sts, 
Culver  City,  California 

AMON,  Frank  D. 

General/ Dynami cs 
Pomona,  California 

AMSBERRY,  George  H. 

Douglas  Aircraft  Company,  Inc, 
3000  Ocean  Park  Boulevard 
Santa  Monica,  California 

ANDERSON,  Robert  Harland 

Atomics  International 

Box  309 

Canoga  Park,  California 

ANDREWS,  Chris  W. 

Douglas  Aircraft  Company,  Inc. 
3855  Lakewood  Boulevard 
Long  Beach,  California 

ANKENBRANRT,  Francis  L. 

Radio  Corporation  of  America 
Defense  Electronic  Products 
Building  2-5 
Front  & Cooper  Streets 
Camden,  New  Jersey 

ARATA,  George  H. 

U.  S.  Naval  Air  Test  Facility 
(Ship  Installations) 

U.  S.  Naval  Air  Station 
■Lakehurst,  New  Jersey 

^63 


NAME 

ARMSTRONG,  Charles  Vincent 


ATHERTON,  Paul  G. 


AUERBACH,  Albert 

AXEL,  Stanford  J, 

AXTELL,  Robert  C. 

CAPT,  USAF 

BABCOCK,  Daniel  L. 

BAILEY,  George  R. 

BALL,  Alpheus  M. 

BALL,  Leslie  Wilson 

BALLARD,  William  E. 
BALLEW,  Robert  W. 
BARBE,  Martin 

BARLOW,  Edward  J. 

BARNES,  Curtis  H.,  Jr, 
LCDR,  USN 

BARRETT,  Marvin  0. 


BARSTOW,  Glidden  J. 


ACTIVITY/lNDUSTRY 

BUWEPSREP 

1675  West  5th  Street 
P.  0.  Box  1011 
Pomona,  California 

International  Telephone  & Telegraph 
Corporation 

Federal  Laboratories  Division 
500  Washington  Avenue 
Nutley,  New  Jersey 

Ryan  Aeronautical  Company 
2701  Harbor  Drive 
San  Diego,  California 

Northrop  Ventura 
8000  Woodley  Avenue 
Van  Nuys,  California 

HQ  SSD  AFSC 

Los  Angeles,  California 

Solid  Propellant  Information  Agency 

apl/jhu 

8621  Georgia  Avenue 
Silver  Spring,  Maryland 

General  Dynamics/Convair 
3302  Pacific  Highway 
San  Diego  12,  California 

Hercules  Powder  Company 
Wilmington  99 > Delaware 

The  Boeing  Company 
Aero-Space  Division 
P.  0.  Box  3707 
Seattle  24,  Washington 

U.  S.  Navy  Electronic  Laboratory 
San  Diego  52,  California 

ACIC 

St,  Louis,  Missouri 

Aerospace  Corporation 
2400  El  Segundo  Boulevard 
El  Segundo,  California 

Aerospace  Corporation 
2400  El  Segundo  Boulevard 
El  Segundo,  California 

BUWEPSRESREP 

Aero j et  General  Corporation 
P.  0.  Box  1947 
Sacramento,  California 

ATC  Project  Office 

AF  Unit  Post  Office 

Los  Angeles  45,  California 

U.  S,  Navy  Electronics  Laboratory 
San  Diego  52,  California 


NAME 


ACTIVITY /I NDUSTRY 


BARTLETT,  Parker  Morse 

BARTON,  James  R. 

BAUGH,  Charles  I. 
BEALL,  Wellwood  E. 

BEATON,  George  N. 

BEAVER,  Bud  K. 

CAPT,  USN 

BECKMAN,  K.  N. 

COL,  USAF 

BEERS,  Robert  L. 

LTCOL,  USAF 

BELDEN,  Grover 
BELL,  Chauncey  F. 
BELL,  Donald  E. 


BENJAMIN,  George  C. 
COL,  USA 

BENNETT,  Emory  C. 

BENNETT,  T.  C. 
BERGER,  Brynjulf 

BERKE,  H.  R. 

CAPT,  USN 

BERMAN,  Elliot 


The  Garrett  Corporation 
9851  Sepulveda  Boulevard 
Los  Angeles  9,  California 

U.  S.  Air  Force 

ESD  (ESSTE-2)  L.  G.  HANSCOM 

Bedford,  Massachusetts 

Emerson  Electric  Company 
St,  Louis,  Missouri 

The  Boeing  Company 
P.  0.  Box  3707 
Seattle  24,  Wisconsin 

Hughes  Aircraft  Company 
Florence  & Teale  Streets 
Culver  City,  California 

BUWEPSFLTREADREPPAC 
NAD  North  Island 
San  Diego,  California 

Headquarters 

United  States  Air  Force 

Washington,  D.  C. 

Air  Force  Unit  Post  Office 
Los  Angeles  45,  California 

Aerospace  Corporation 
2400  El  Segundo  Boulevard 
El  Segundo,  California 

The  Rand  Corporation 
1700  Main  Street 
Santa  Monica,  California 

Pratt  & Whitney  Aircraft  Division 
United  Aircraft  Corporation 
9201  Wilshire  Boulevard 
Beverly  Hills,  California 

U.  S.  Army  Maintenance  Board 
Fort  Knox,  Kentucky 

Northrop  Corporation 
Norair  Division 
1001  East  Broadway 
Hawthorne,  California 

U.  S.  Naval  Air  Development  Center 
Johns ville,  Pennsylvania 

Western  Electric  Company,  Inc. 

3300  Lexington  Road 
Winston-Salem,  North  Carolina 

U,  S.  Naval  Air  Station,  North  Island 
San  Diego,  California 

U.  S,  Army  Signal  R&D  Laboratory 
Fort  Monmouth,  New  Jersey 


BETHKE  William  P.  Rome  Air  Development  Center 

Griffiss  Air  Force  Base,  New  York 

BEYER,  George  L.,  Jr.  Naval  Ordnance  Laboratory 

White  Oak,  Maryland 


46? 


NAME 

activtiy/ineustry 

BINGHAM,  Kenneth  B. 

Douglas  Aircraft  Company,  Inc. 
3855  Lakewood  Boulevard 
Long  Beach,  California 

BLACK,  Alexander  M. 

Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

BLACK , Robert  0* 

Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

BLAIS,  Robert  A, 

Lockheed  Missiles  & Space  Company 
Palo  Alto,  California 

BLANKS,  Eugene  H. 

Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

BLATT,  Milton  D. 

if.  S.  Naval  Ordnance  Test  Station 
Pasadena,  California 

BLAUVELT,  Robert  T. 

U.  S.  Army 

6087  Sunset  Boulevard 
Hollywood,  California 

BIDE,  William  F. 

Martin  Marrietta  Company 
Waterton,  Colorado 

BLUHM,  Richard  W. 

The  Bendix  Corporation 
Eclipse- Pioneer  Division 
Te ter boro,  Hew  Jersey 

BLUNDELL,  Larry 

Sperry  Utah  Company 
3^11  N.  2100  W. 

Salt  Lake  City,  Utah 

BOHAN,  Janies  P. 

Sikorsky  Aircraft 
North  Main  Street 
Stratford,  Connect! cut 

BOLDEN,  Edgar  L. 

Radio  Corporation  of  America 
Camden,  New  Jersey 

BOLL,  Fred  J* 

BUWEFSREF 
Pomona,  California 

BOOTH,  Lionel  R. 
LTCOL,  USAF 

U.  S.  Air  Force  (AFSC> 

Kirtland  Air  Force  Base,  New  Mexico 

BOOTY,  Kelvin  H. 

U.  S,  Naval  Ordnance  Test  Station 
China  Lake,  California 

BOWMAN,  Kenneth  K, 

General  Electric  Company 
P.  0.  Box  8555 
Philadelphia,  Pennsylvania 

HRACHA,  Vincent  J. 
LTCOL,  USAF 

USAF  HQ  BSD  (AFSC) 

Air  Force  Unit  Post  Office 
Los  Angeles  45,  California 

BRACKETT,  Alice  Wilson 
LCDR,  USN 

U.  3.  Naval  Ammunition  Depot 
Crane,  Indiana 

BRADLEY,  John  R . 

Douglas  Aircraft  Company,  Inc. 
Missile  & Space  Systems  Division 
Santa  Monica,  California 

it66 


NAME 


ACTIVITY/INDUSTRY 


BRASHEAR,  Richard  H.,  Jr. 

Sperry  Utah  Company 
Division  of  Sperry  Rand 
322  North  21st  West 
Salt  Lake  City,  Utah 

BRELAND,  ELish,  Jr. 

Chance  Vought  Corporation 
Box  5907 

Dallas  22,  Texas 

BRENNAN,  Francis  X. 

Wright  Patterson  Air  Force  Base 
Ohio 

BRIDGES,  James  M. 

Department  of  Defense 
ODD  R&E 
The  Pentagon 
Washington,  D.  C. 

BRIGHAM,  Charles  W. 

Radio  Corporation  of  America 
Aerospace  Communications  & Controls  Division 
Junction  Routes  3 & 62 
Burlington,  Massachusetts 

BRIMLEY,  Donald  E. 

The  Rand  Corporation 
1700  Main  Street 
Santa  Monica,  California 

BROTHERTON,  Theodore  W. 

General  Dynamics/Convair 
4297  Pacific  Highway 
San  Diego,  California 

BROUS,  Chris  J. 

Atomics  International 

Division  of  North  American  Aviation,  Inc. 
89OO  DeSoto  Avenue 
Canoga  Park,  California 

BROWN,  Buford  M. 

Westinghouse  Electric  Corporation 
P.  0.  Box  1693 
Baltimore  3,  Maryland 

BRYAN,  Harold  E. 

U.  S.  Navy  Electronics  Laboratory 
San  Diego  52,  California 

BRYANT,  Hervril  M. 

U.  S.  Naval  Ordnance  Laboratory 
Corona,  California 

BRYDIA,  Ellis  M. 

MAAVA 

Olmsted  Air  Force  Base,  Pennsylvania 

BRUEGGEMANN,  Arthur  Rockefeller 
CDR,  USN 

Bureau  of  Naval  Weapons  Representative 
1675  West  5th  Street 
P.  0.  Box  1011 
Pomona,  California 

BUCHANAN,  Robert  W. 

UNIDYNAMICS 

Division  of  Universal  Match  Corporation 

472  Paul  Avenue 

St.  Louis  35>  Missouri 

BUCHELE,  Kirwan 

Douglas  Aircraft  Company,  Inc. 
Santa  Monica,  California 

BURNETT,  William  P. 

U.  S.  Army 

Redstone  Arsenal,  Alabama 

1*67 


NAME 


HJSBY,  John  W. 

BUSSEY,  Donald  G. 

BUTLER,  Raymond  E« 

BUUS,  Melvin  L. 
CAMMARATA,  John 

CAMPBELL,.  Jerry  J. 
CAMPBELL,  Richard  Sewall 
CANCILLA,  Edward 
CARLSON,  Earl  E. 

CARLSON,  Roland  Philip 

CARSON,  Albert  C. 

CDR,  USN 

CARTER,  Maurice  McCabe 
CARY,  Raymond  John,  Jr. 


ACTIVITY/ INDUSTRY 

Sperry  Gyroscope  Company 
Great  Neck,  L.I.,  New  York 

Robins  Air  Force  Base 
Georgia 

Sandia  Corporation 
■P.  0.  Box  5800 
Albuquerque,  New  Mexico 

U.  S.  Naval  Ordnance  Laboratory 
Corona,  California 

Arma  Division 

American  Bosch  Arma  Corporation 
Roosevelt  Field 
Garden  City,  New  York 

White  Sands  Missile  Range 
Standards  Laboratory 
WSMR,  New  Mexico 

General  Dynamics/Astronautics 
10544  Challenge  Boulevard 
San  Diego,  California 

Douglas  Aircraft  Company,  Inc. 

3000  Ocean  Park 

Santa  Monic  a , Cali f orni  a 

Hughes  Aircraft  Company 
P.  0.  Box  11337 
Tucson  Division 
Tucson,  Arizona 

Martin  Company 

Friendship  International  Airport  40,  Maryland 

Defense  Electronics  Supply  Center 
1507  Wilmington  Pike 
Dayton,  Ohio 

BUWEPSFLTREADREP  PAC 
NAS  North  Island 
San  Diego,  California 

General  Dynamics/Electronics 

P.  0.  Box  127 

San  Diego,  California 


CATE,  Albert  Murray 


CHANDLER,  Earl  H. 


CHANDLER,  Robert  L. 


CHARNOCK,  Lester  J. 


United  States  Air  Force 
Hans  com  Field 
Bedford,  Massachusetts 

• 

The  Garrett  Corporation 
9851  Sepulveda  Boulevard 
Los  Angeles  9>  California 

Marshall  Space  Flight  Center 
NASA,  Huntsville 
Resdstone  Arsenal,  Alabama 

Aeronautical  Systems  Division 
Wright  Patterson  Air  Force  Base 
Ohio 


NAME 


ACTIVITY/INDUSTRY 


CHEAK,  Donald  L. 
CHRISTIAN,  David  B. 

CHURCH,  Edward  E. 

CLEVELAND,  Arthur  L. 

CLINE,  Dudley  E. 

CLYMER,  Harvey  C. 

LT  COL  USAF 

COCHRAN,  Kenneth 

COFFIN,  James  C, 

COHEN;  Abraham  E. 

COLE,  Richard  W* 

COLETTA,  Arthur  P, 

COLLINS,  Lloyd  Raymond 
COLLINS,  Milford  E. 

COLLINS,  W.  M. 

CAPT  USN 

CONE,  Arvine  F. 

CONNER,  Richard  M. 

OONSALVI,  Anthony  L. 
COONEY,  Thomas  Vincent 

COONS,  Donald  E* 


NAVAVIONICS  FAC 
Indi anapoli s , Indi ana 

General  Electric,  LMED 
831  Broad  Street 
Utica,  New  York 

BUWEPSFLTREA DR EP  Pacific 

NAS  North  Island 

San  Diego,  California 

Directorate  of  Operational  Support  Engineering 

Aeronautical  Systems  Division 

Wright  Patterson  Air  Force  Base,  Ohio 

U.  S.  Army  Advent  Management  Agency 
Fort  Monmouth,  New  Jersey 

Ballistic  Systems  Division,  AFSC 
Air  Force  Unit  Post  Office 
Los  Angeles  45,  California 

Battelle  Memorial  Institute 
505  King  Avenue 
Columbus  1,  Ohio 

U.  S.  Air  Force  Systems  Command 
Andrews  Air  Force  Base,  Maryland 

U.  S.  Army  Advent  Management  Agency 
Fort  Monmouth,  New  Jersey 

Applied  Physics  Laboratory 
John  Hopkins  University 
8621  Georgia  Avenue 
Silver  Spring,  Maryland 

Republic  Aviation  Corporation 
Farmingdale,  New  York 

General  Dynamics  Corporation 

Radio  Corporation  of  America 
8500  Balboa  Boulevard 
Van  Nuys , Cali  f orni a 

U.  S.  Naval  Air  Station 

North  Island 

San  Diego  35,  California 

Sand! a Corporation 
Sandia  Base 

Albuquerque,  New  Mexico 

ATC  Project  Office 

Air  Force  Unit  Post  Office 

Los  Angeles  45,  California 

Radio  Corporation  of  America 
Moores town,  New  Jersey 

NASA  Flight  Research  Center 
Box  283 

Edwards,  California 

Headquarters 

SSD/AFSC 

DCAS  Los  Angeles,  California 


469 


NAME 

activity/  industry 

CORBIN,  Allen  M. 

U#  S.  Naval  Ordnance  Laboratory 
White  Oak 

Silver  Springs,  Maryland 

COUTINBO,  John  de  S. 

Grumman  Aircraft 
Bethpage,  L.I*,  New  York 

COVINGTON,  Garrett  C. 

McDonnell  Aircraft  Corporation 

P.  0,  Box  516 

St*  Lmis  66,  Missouri 

COVINGTON,  George  A. 

General  Ifynamies/Oonvair 

P.  0*  Box  1950 

San  Diego,  California 

OCX,  Charles  D, 

Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

OOX,  Paul  C* 

Ordnance  Mission,  WSMR 

White  Sands  Missile  Range,  New  Mexico 

COX,  William  E. 

Northrop  Space  Laboratory 

1111  East  Broadway 

Palos  Verdes  Estates,  California 

CRABTREE,  David  M.,  Jr, 

Rome  Air  Development  Center 
Griffisa  Air  Force  Base,  New  York 

CULBERTSON,  James  E. 

Western  Electric  Company,  Inc. 
3300  Lexington  Road 
Winston-Salem,  North  Carolina 

CULP,  Claude  H, 

Rand  Corporation 
1700  Main  Street 
Santa  Monica,  California 

CUFO,  Ernest  F*,  Jr, 

Space  Technology  Laboratory,  Inc* 

P.  0*  Box  95001 

Los  Angeles,  California 

SURREY,  Jake  L. 

Pacific  Missile  Range 
U*  S.  Naval  Missile  Center 
Ft.  Mugu,  California 

DAIGLE,  William  A, 

U,  S*  Navy  Electronics  Laboratory 
San  Diego  52,  California 

D Mimm,  Edwin  G* 

U.  S.  Naval  Ordnance  Laboratory 
Corona,  California 

DAMON,  Harle  Hoyt 

General  Electric  Company 
Lakeside  Avenue 
Burlington,  Vermont 

DANCE,  Donald  \t. 

U,  S,  Naval  Missile  Center 
Point  Mugu,  California 

DARAY,  Jack  L. 
CAPT,  USN 

U.  S.  Naval  Air  Station 

North  Island 

San  Diego  35 t California 

DARNELL,  Pai.il  Stephen 

Bell  Telephone  Laboratory 
Whippany,  New  Jersey 

1*70 


NAME 


ACTIVITY/ IHDUSTRY 


DAVIDSON,  F*  F* 

PW  Department 

U-  S.  Naval  Air  Station 

North  Island 

San  Diego,  California 

DAVIS,  Waymond  A. 
MAJ  GEN,  USAF 

Aeronautical  Systems  Division 
Wright  Patterson  Air  Force  Base,  Ohio 

DAVISON,  Wayne  W* 

Collins  Radio  Company 
855-3 5th  Street,  NE 
Cedar  Rapids,  Iowa 

DAWSON,  John  J. 

Aerospace  Corporation 
El  Segundo,  California 

DEFREECE,  Dale  A. 

McDonnell  Aircraft  Corporation 

P.  0,  Box  516 

St«  Louis  66,  Missouri 

DEKKER,  Albert  Or  no 

Aero  j e t -G ener al  Oor por a t ion 
P.  0.  BOX  1947 
Sacramento,  California 

DEL CHAMPS,  Thomas  B, 

Bell  Telephone  Laboratory 
Whippany,  New  Jersey 

DELLA  - VEDOVf A , Richard  P. 

Lockheed  Missiles  & Space  Company 
Palo  Alto,  California 

DE  YOUNG,  Robert  L. 

U.  S Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

DIXON,  John  E. 

BUWE  PSFLTREADR EP  Central 

Wright  Patterson  Air  Force  Base,  Ohio 

DONAHUE,  Philip  M. 

Bureau  of  Naval  Weapons  Representative 
400  S.  Bel ger  Street 
Ml  shawaka,  Indiana 

DOSHAY,  Irving 

Space - G e ner al  Corpo r a ti on 
Subsidiary  of  Aerojet -General 
9200  Flair  Drive 
El  Monte,  California 

DQTEY,  Raymond  A, 

U,  S,  Army  Ordnance 
District  of  Los  Angeles 
55  South  Grand  Avenue 
Pasadena,  California 

DOYLE,  Patrick  J. 

Ut  S.  Naval  Ordnance  Laboratory 
Corona , Cal i f or ni a 

DOYLE,  Vincent  Andrew 

North  American  Aviation,  Inc. 

Los  Angeles  International  Airport 
Los  Angeles  9*  California 

DO YON,  Leonard  R* 

Raytheon  Company 
Boston  Post  Road 
Wayla  n&,  Massa chu s e tt s 

DRAKE,  Hubert  M. 

NAT  Aero  and  Space  Administration 
pP  0.  Box  273 
Edwards , Calif orni a 

U71 


NAME 


ACTIVm/lNroSTRY 


ERAYNER,  Allen  H. 
DRESSER,  Richard  L* 
DtJCHEK,  Harold  W* 
DUESTERBERG,  L.  C. 

IXJNBAR,  Oliver  C. 
DYER,  Frank  S. 

EARLES,  Donald  R. 
EATON,  William  R. 

EDDINS,  Mary  F, 
EDWARDS,  Thomas  J. 
EDZIAK,  Theodore  F* 

EINBINDER,  Seymour  K* 
ELLIS,  Bernard 
EMRICH,  William  F. 
ENGQUIST,  Earl  W* 

EPPENSTEIN,  Herschel 
EYLER,  William  Henry, 


Martin  Marietta  Corporation 
Martin  Company  Division 
Friendship  Airport  to,  Maryland 

Aerospace  Defense  Systems  Office 
SSD 

Los  Angeles  k$,  California 

The  Shier  son  Electric  Manufacturing  Company 
8100  West  Florissant 
St*  Louis,  Missouri 

The  Bendix  Corporation 
Bendix  Mishawaka  Division 
400  S.  Beiger  Street 
Mi shawaka,  Indiana 

U.  S*  Army  Maintenance  Board 
Fort  Knox,  Kentucky 

U*  S,  Naval  Air  Development  Center 
Johnsville,  Pennsylvania 

AVCO  Corporation 
Wilmington,  Massachusetts 

General  Electric  Company 
Space  Technology  Center 
Valley  Forge,  Pennsylvania 

AVCO  Corporation 
Wilmington,  Massachusetts 

NASA  - MSC 
Houston  1,  Texas 

Atomics  International 
89OO  DeSoto  Avenue 
Canoga  Park,  California 

Picatinny  Arsenal 
Dover,  New  Jersey 

Lockheed  Missile  & Space  Company 
Sunnyvale , Calif orni a 

Aerojet -General  Corporation 
Azusa , Cal i f orni a 

Sprague  Electric  Company 
12870  Panama  Street 
Los  Angeles,  California 

i*.  •••’•  General  Dynamics/Astronautics 

San  Diego  12,  California 

Jr*  Consolidated  Western  Steel 

Division  United  States  Steel  Corporation 
5700  S.  Eastern 
City  of  Commerce 


NAME 


activity/inixjstry 


FAHLON,  Alex  S. 

FARNSWORTH,  William  P. 
FARRELL,  Marvin  Royce 
FATKIN,  Thomas  J. 

FEDDERSEN,  Edward  V/. 

FINE,  Aleck 
FINLEY,  James  Dorsey 

FLAGG,  Walter  L. 

FLYGARE,  Richard  W. 

FONTAIN,  Hubert  Louis 

FORSMAN,  Allyn  J. 

FORTUNE,  William  C. 
FOX,  David  H. 

FOX,  Kenneth  H. 

FRANTIK,  Rudolph  0, 

FRECH,  William  Paul 


Philco  Corporation 
Subsidiary,  Ford  Motor  Company 
Western  Development  Laboratory 
3825  Fabian  Way 
Palo  Alto,  California 

United  States  Air  Force 
The  Pentagon 
Washington,  D.  C. 

HJWEPSFLTREADREP  PAC 
NAS  North  Island 
San  Diego,  California 

HJWEPSFLTREADREP  PAC 
NAS  North  Island 
San  Diego,  California 

General  Dynamics  Corporation 
San  Diego,  California 

General  Electric  Company 

United  Testing  Laboratories 
573  Monterey  Pass  Road 
Monterey  Park,  California 

United  States  Air  Force 
Space  Systems  Division 
Air  Force  Unit  Post  Office 
Los  Angeles  k$,  California 

Sperry  Utah  Company 

Division  of  Sperry  Rand  Corporation 

322  North  21st  West  Street 

Salt  Lake  City,  Utah 

Ryan  Aeronautical  Company 
2701  Harbor  Drive 
San  Diego,  California 

Minneapolis -Honeywell  Regulator  Company 
2600  Ridgway  Road 
Minneapolis,  Minnesota 

U*  S.  Naval  Air  Test  Facility 
Lakehurst,  New  Jersey 

Chrysler  Corporation 
7000  E,  Eleven  Mile  Road 
Center  Line,  Michigan 

Bendix  Corporation 
Red  Bank  Division 
Eatontown,  New  Jersey 

Aerospace  Corporation 
2 too  East  El  Segundo  Boulevard 
El  Segundo,  California 

Lockheed-Georgia  Company 
86  South  Cobb  Drive 
Marietta,  Georgia 


1*73 


NAME 

ACTIVITY/INDUSTRY 

FREDERICK,  Herbert  E. 

Aerospace  Corporation 
El  Segundo,  California 

FREEMAN,  John  F* 

Aero  j e t -G ener al  Corpora t i on 
P.  0,  Box  1947 
Sacramento  9j  California 

FRASER,  James  A* 

Professor  of  Physical  Science 
Maxwell  Air  Force  Base,  Alabama 

FRIEDENREICR,  Gilbert 

Fairchild  Strata s Corporation 
Spacecraft  Systems 
Bayshore,  New  York 

FRITZ,  Harvey  Walter 

National  Aeronautics  & Space  Administration 
NASA  Representative  Office 
North  American  Aviation 
Downey,  California 

FUNK,  Ben  I, 

Commander  SBAMA 

Norton  Air  Force  Base,  California 

FURHER,  Rudolph 

Lockheed  Missiles  & Space  Company 
Sunnyvale,  California 

GALIB,  Thomas  A, 

U.  S,  Naval  Underwater  Ordnance  Station 
Newport,  Rhode  Island 

GANTT,  Richard  R. 
LT  COL,  USAF 

L.  G*  Hanscom  Field 
Bedford,  Massachusetts 

GARDINER , Duncan  B> 

Vickers,  Inc, 
Division  Sperry 
Detroit  32,  Michigan 

CARDS  BANE,  Alvin 

Astronautics  Division 
Chance  Vought  Corporation 
F,  0.  Box  6267 
Balias  22,  Texas 

G ARMAN,  Ralph  Sheldon 
COL  USAF 

Commander,  Air  Force  Missile  Development  Center 
Holloman  Air  Force  Base,  New  Mexico 

GARNER,  Norman  R. 

Aer 0 j e t - Ge  n er al  Corpora  1 1 0 n 
1100  West  Hollyvale 
Azusa,  California 

GAVURIN,  Edward  I, 

General  Electric  Company 
3198  Chestnut  Street 
Philadelphia  4,  Pennsylvania 

GEPHART,  Landis  S. 

Lockheed  Missiles  & Space  Company 
Sunnyvale,  California 

GIARRIZZO,  Charles 

SBAMA 

Service  Engineering  Division 
Directorate  of  Materiel  Management 
Norton  Air  Force  Base,  California 

GIBSON,  Carl  E* 

Liquid  Propulsion  Systems 

NASA  George  C.  Marshall  Space  Flight  Center 
Huntsville,  Alabama 

GIBSON,  Charles  Edward 

Commander,  Operational  Test  & Evaluation 
Force 

Norfolk  11,  Virginia 

NAME 

ACTIVITY/INDUSTRY 

GILL,  John  F. 

Aerojet-General  Corporation 
1100  W.  Hollyvale  Avenue 
Azusa,  California 

GLICKMAN,  Lester 

Navy  Central  Torpedo  Office 
Newport,  Rhode  Island 

GLIDDEN,  Bruce 

Consolidated  Western  Steel  Division 

United  States  Steel  Corporation 

P.  0.  Box  2015 

Terminal  Annex 

Los  Angeles  54,  California 

GODSEY,  Jack  C. 

Thiokol  Chemical 
Huntsville,  Alabama 

GOLDBERG,  Morton  E. 

Armour  Research 

GOLDENRATH,  Walter  Lewis 
cm,  USN 

U.  S.  Naval  Air  Station 

North  Island 

San  Diego  35,  California 

GOODHART,  Milton  E. 

Marquardt  Corporation 
16555  Saticoy  Street 
Van  Nuys,  California 

GRAINGER,  George  R. 

Planning  Research  Corporation 
1333  Westwood  Boulevard 
Los  Angeles  24,  California 

GRAY,  William  L. 

The  Boeing  Company 
P.  0.  Box  3707 
Seattle  24,  Washington 

GREER,  Richard  D.,  Jr. 
CDR,  USN 

BUWEPSFLTREA DREP  PACIFIC 

NAS  North  Island 

San  Diego,  California 

GREGORY,  Lowell  D. 

Chance  Vought  Corporation 
Ling-Temco-Vought,  Inc. 

P.  0.  Box  5003 
Dallas  22,  Texas 

GREGORITS,  Robert  F. 

Bureau  of  Naval  Weapons  Representative 
400  S.  Beiger  St. 

Mishawaka,  Indiana 

GREMBAN,  Walter  A. 

ATC  Project  Officer 

Air  Force  Unit  Post  Office 

Los  Angeles  45,  California 

GRUOL,  John  W. 

U.  S.  Army  Signal  R&D  Laboratory 
Fort  Monmouth,  New  Jersey 

HADDEN,  Leonard  John 

The  Marquardt  Corporation 
16555  Saticoy  Street 
Van  Nuys,  California 

HADLEY,  William  Lee 

Martin  Company 
Baltimore  3,  Maryland 

HAGAN,  John  Thomas 

Martin  Company 

HAGE,  Harry  Dennis 

BUWEPSFLTREA DREP  PACIFIC 

NAS  North  Island 

San  Diego  35,  California 

U75 


NAME 

HAIGLER,  William  B. 

HALL,  Charles  M. 

HALL,  Donald  P. 

HALL,  Lacey  C. 

HAMMELL,  Richard 

HAMMERS,  Fred  Charles 
HAMONTRE,  Hugh  Clayton 
HANS SEN,  Gustav  F. 

HARDENBAURGH,  Miles  R. 
HARMEN,  Raymond  A. 

BARN,  Gene  Laverne 

HARNETT,  Daniel  Edvard 

HARTER,  Wendell  W. 

HARTVIGSEN,  Donald  E. 

HASSLER,  Kenneth  E. 

HAWKINS,  Willis  M. 

HEATH,  Robert  Lowrey 

HENDERSON,  George  Andrew 


ACTIVITY / INDUSTRY 
ROCKETDYNE 

Division  of  North  American  Aviation,  Inc, 
6633  Canoga  Park,  California 

Aerojet-General  Corporation 
11711  Wooddruff  Avenue 
Downey,  California 

Air  Force  Flight  Test  Center 
EDWARDS  Air  Force  Base,  California 

San  Bernardion  Air  Material  Area 
Norton  Air  Force  Base,  California 

Bell  Telephone  Laboratories 
Whippany  Road 
Whippany,  New  Jersey 

NASA,  Marshall  Space  Flight  Center 
HUNTSVILLE,  Alabama 

Naval  Weapons  Laboratory 
Corona,  California 

U,  S.  Army  Ordnance  District 
4300  Goodfellow  Boulevard 
St,  Louis,  Missouri 

CG  AOMC 

Redstone  Arsenal,  Alabama 

Commander,  Naval  Missile  Center 
Pacific  Missile  Range 
Point  Mugu,  California 

ATC  Project  Office 

Air  Force  Unit  Post  Office 

Los  Angeles  45,  California 

General  Electric  Company 
Charles  Building 
Liverpool,  New  York 

Northrop  Norair 
1001  East  Broadway 
Hawthorne,  California 

Aerojet-General  Corporation 
1100  W.  Hollyvale 
Azusa,  California 

Battelle  Memorial  Institute 
5050  King  Avenue 
Columbus,  Ohio 

Lockheed  Missiles  & Space  Company 
Sunnyvale,  California 

North  American  Aviation,  Inc, 

Rocket dyne  Division 
6633  Canoga  Avenue 
Canoga  Park,  California 

Martin  Company 
Orlando,  Florida 


NAME 


activity/  xnixjstry 


HENNING,  Frederick  W. 

HENRY,  George  Edwin 

HERD,  G.  Ronald 

HIBBARD,  Hall  Livingston 
HINKLE,  Mark  L. 

HIP PS,  William  Grover 
HIRSCHRON,  Martin 

HOCHMAN,  Daniel 
HOESEL,  Neil  E. 

HOLLAND,  John 

HOLIMAN,  Dallas  Joseph 

HOLLORAN,  Ralph  P. 
HOLSCLAW,  Gerald  R. 


Westinghouse  Electric  Corporation 
Astronuclear  Laboratory 
P,  0.  Box  10864 
Pittsburg  36,  Pennsylvania 

General  Electric  Company 
Ordnance  Department 
Pittsfield,  Massachusetts 

Booz  Allen  Applied  Research,  Inc, 
4815  Rugby  Avenue 
Bethesda,  Maryland 

Lockheed  Aircraft  Corporation 
Burbank,  California 

General  Electric  LMED 
901  Broad  Street 
Utica,  New  York 

Tactical  Air  Command 

Langley  Air  Force  Base,  Virginia 

Industrial  Acoustics  Company 
341  Jackson  Avenue 
New  York  54,  New  York 

Lockheed  Missiles  and  Space  Company 

Thiokol  Chemical  Corporation 
Brigham  City,  Utah 

American  Bosch  Anna  Corporation 

Arma  Division 

San  Diego,  California 

General  Dynamics/Astronautics 
Box  1128 

San  Diego  12,  California 

North  American  Aviation,  Inc, 
Columbus  16,  Ohio 

HQ  AFLC 
WFAFB,  Ohio 


HOMSY,  A.  A. 


Litton  Systems,  Inc, 
Woodland  Hills,  California 


HORN,  George  Martin 


U.  S.  Naval  Ordnance  Test  Station 
China  Lake,  California 


HUGHES,  Thomas  Edge 


HURST,  James  Harris 


HURST,  Richard  M. 


Defense  Research  Laboratories 
General  Motors  Corporation 
6767  Hollister  Avenue 
Goleta,  California 

NASA  Marshall  Space  Flight  Center 
Huntsville , Alabama 

U,  S,  Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 


HUTCHINS,  Guy  Vernon 


BUWEPSFLTREADREP  PACIFIC 

NAS  North  Island 

San  Diego  35,  California 


1*77 


NAME 

ACTIvm/lNDUSTRY 

HUTCHINS,  Harold  J* 

USAF  SBAMA 

Norton  Air  Force  Base,  Californie 

HUTTON,  Lenard  Ray 

U-  S.  Naval  Ordnance  Laboratory 
Corona,  California 

IVES,  George  Stoughton 

Bureau  of  Naval  Weapons  Representative 
Ftrniona,  California 

INMAN,  William  K. 

Up  Sp  Naval  Ammunition  Depot 
Crane,  Indiana 

IRVINE,  Clarence  S . 

AVCO  Corporation 
Suite  tOO 

8939  South  Sepulveda  Boulevard 
Los  Angeles  45,  California 

ISRAEL,  Edmund  M* 

Space  Technology  Laboratory,  Inc, 

One  Space  Park 

Redondo  Beach,  California 

JABLONSKI,  Frank  E. 

National  Aeronautics  & Space  Administration 
1530  H Street,  N.W, 

Washington,  Dp  C* 

JACOBS,  Leonard 

Radio  Corporation  of  America 
8500  Balboa  Boulevard 
Van  Nuys,  California 

JAHR,  Edgar  F. 

1EQ  Corporation 
Owe go,  New  York 

JAKOBOWSKT,  Walter 

National  Aeronautics  & Space  Administration 
1520  H Street,  Np  W* 

Washington,  D.  C. 

JAMES,  Don 

General  Dynamics 
1675  West  5th  Street 
Fdmona,  California 

JOHNSON,  Bernie  D. 
LT  COL  TC,  USA 

Department  of  the  Army 
Utah  General  Depot 
Ogden,  Utah 

JOHNSON,  Edwin  Harold 

Up  S,  Naval  Ordnance  Laboratory 
Cdrona,  California 

JOHNSON,  Curt  I. 

IBM  Corporation 
Owego,  New  York  * 

JOHNSON,  Francis  B. 

Lockheed  Missile  & Space  Company 

JOHNSON,  LaVern  M, 

Naval  Ordnance  Laboratory 
Corona , Cal i for ni a 

JOHNSON,  Roes  Herman 

Martin  Marietta  Corporation 
Baltimore  3,  Maryland 

JOHNSON,  William  F. 

Curtiss-* Wright  Corporation 
Caldwell,  New  Jersey 

JONES,  Earl  L. 

North  American  Aviation,  Inc. 
International  Airport 
Los  Angeles,  California 

NAME 

ACTIVITY/ INDUSTRY 

JONES,  Edward  E* 

Bureau  of  Naval  Weapons 
Washington,  D.  C. 

JONES,  Robert  Edward 

MSA  Marshall  Space  Flight  Center 
Huntsville,  Alabama 

JOYNER,  James  L* 

National  Aeronautics  & Space  Administration 
Cape  Canerval,  Florida 

JOYNER,  Ronald  S. 
2nd  LT  USAF 

ASD  AFSC 

Wright -Patter son  Air  Force  Ease,  Ohio 

KAPLAN,  Irving  E. 

U*  S*  Naval  Personnel  Research  Activity 
San  Diego  52,  California 

KAMINS,  Milton 

The  Rand  Corporation 
1700  Main  Street 
Santa  Monica,  California 

KABMIOL,  Edwin  D. 

General  Electric  Company 
3198  Chestnut  Street 
Philadelphia,  Pennsylvania 

KAUDERj  Arnold  J. 

Bureau  of  Naval  Weapons  Representative 

North  Hollywood 

ll600  Sherman  Way 

North  Hollywood,  California 

KEAR,  Donald  L . 

Defense  Electronics  Supply  Center 
1507  Wilmington  Pike 
Dkyton,  Ohio 

KEEFE,  Gordon  J. 

Defense  Supply  Agency 

Inspection  & Quality  Control  Division,  P&P 
Directorate,  Defense  Supply  Agency 
Room  2807  Tempo  A 
Washington,  D*  C* 

KELLY,  Robert  B, 
LT  COL,  U5AF 

Air  Force  Plant  Representative 
Air  Force  Systems  Command 
G e ner al  Bynami  c s/A  s t r onau  t i c s 
F,  0,  Box  1128 
San  Diego  12,  California 

KENNA,  William  E. 

Sikorsky  Aircraft 
S tr  atf or d,  Conne c t i cut 

KENT,  James  R . 

U.  S.  Naval  Ammunition  Depot 
Crane,  Indiana 

KIMEL,  Harry 

General  Electric  Company 
Philadelphia,  Pennsylvania 

KXM BERLIN,  John  I. 

U*  S,  Air  Force  Inspector  General 
Norton  Air  Force  Base,  California 

KIRK,  Gerald  A, 

Loral  Electronics  Corporation 
825  Bronx  River  Avenue 
New  York,  New  York 

KISSINGER,  Milan  P,  H. 

Ryan  Aeronautical  Company 

Lindbergh  Field 

San  Diego  12,  California 

hi  9 


NAME 


ACTIVITY/INDUSTRY 


KLINE,  William  Darwin 

KLINGON,  Arthur  J. 
KNIGHT,  Chester  Raymond 

KNORR,  Harold  M. 

KNUDSEN,  George  E. 

KOCH,  James  R, 

KOONTZ,  Warren  S. 

KOPCSAK,  Arpad  A* 

COL  USA 

KOPPENHAVER,  James  T. 

KRAUS,  John  W. 

KRAVA,  Roy  "A" 

KREBBERS,  Johannes 

KREUZE,  Floyd  Jay 

KRZYSIA K,  Edward  F. 

KUNZ,  Earl  Greaves 
LAMB,  William  Xavier 

LAMBERTINE,  Joseph  A. 


U.  S.  Naval  Ammunition  Depot 
Crane,  Indiana 

COMFLDCOM  DASA  Sandia  Base,  New  Mexico 

ARINC  Research  Corporation 
1700  K Street,  N.  W* 

Washington,  D.  C. 

Douglas  Aircraft  Company 
300  Ocean  Park  Boulevard 
Santa  Monica,  California 

Temco  Electronics  Division 

Box  6ll8 

Dallas  22,  Texas 

Minneapolis -Honeywell  Aero  Division 
13350  U.  S*  Highway  19 
St*  Petersburg,  Florida 

Bureau  of  Naval  Weapons 
Washington,  D.  C, 

Headquarters,  Department  of  the  Army 
Office  of  the  Deputy  Chief  of  Staff  for 
Military  Operations 
Washington,  D*  C. 

National  Aeronautics  and  Space  Administration 
bOO  Maryland  Avenue 
Washington,  D*  C. 

Atomics  International 
89OO  De  Soto  Avenue 
Canoga  Park,  California 

General  Dynamics/ Co nvair 
San  Diego,  California 

Stanford  Research  Institute 
333  Ravenswood  Avenue 
Menlo  Park,  California 

Lear,  Inc. 

Instrument  Division 
110  Ionia  Avenue,  N.W. 

Grand  Rapids,  Michigan 

Rome  Air  Development  Center 
Griffiss  Air  Force  Base,  New  York 

North  American  Aviation,  Inc. 

Los  Angeles,  California 

The  Bendix  Corporation 
Bendix-Pacific  Division 
Sherman  Way 

North  Hollywood,  California 

The  Bendix  Corporation 
Fischer  Building 
Detroit  2,  Michigan 


NAME 

LAMKIN,  Lessel  Edwin 


LAMONT,  Kenneth  0* 


LANGSTON,  James  T* 
LCDR,  USN 

LANGIE,  Henry  J. 

LAURICH,  James  A. 
CAPT,  USN 

LAWSON,  Lawrence  G, 
LEBRE,  Edward  G. 
LEE,  James  B. 

LEHR,  Samuel  N. 
LENNON,  Bober t A. 


LEMIEUX,  Norman 
LCDB,  USN 


ACTIVITY/  INIXJSTRY 

Sandia  Corporation 
Sandia  Base 

Albuquerque,  New  Mexico 

The  Bendix  Corporation 
Bendix  Mishawaka  Division 
kOO  S.  Beiger  Street 
Mi  shawaka,  Indiana 

U.  S.  Naval  Air  Station 

North  Island 

San  Diego,  California 

Aeronutronic  Division 
Ford  Motor  Company 
Ford  Road 

Newport  Beach,  California 

BUWEPSFLTREADREP  Pacific 

NAS  North  Island 

San  Diego,  California 

General  Eynamics/Convair 
3302  Pacific  Highway 
San  Diego,  California 

Raytheon  Company 
Spring  Street 

Lexington  73,  Massachusetts 

U.  S.  Army  Signal  Supply  Agency 
125  South  Grand  Avenue 
Pasadena,  California 

Space  Technology  Laboratory,  Inc. 

One  Space  Park 

Redondo  Beach,  California 

General  Dynamics 
5th  Street 
Pomona , Cal  if  or  ni  a 

OPTEVFORPAC 

NAS  North  Island 

San  Diego,  California 


LESHER,  Charles  M. 
LT,  USNR-R 


COMELEVEN 

San  Diego  30,  California 


LIGHTER,  Nathan 


Gruman  Aircraft  Engineering  Corporation 
Bethpage,  New  York 


LINDSAY,  Griffith  W. 


Aeronautical  Systems  Division 
Wright  Patterson  Air  Force  Base,  Ohio 


LITTLER,  Richard  C. 
LLOYD,  David  K. 


LOUGH,  Thomas  M, 


Headquarters,  Air  Force  Logistics  Command 
Wright -Patter son  Air  Force  Base,  Ohio 

Space  Technology  Laboratory 

One  Space  Park 

Redondo  Beach,  California 

Space  Technology  Laboratories,  Inc. 

1 Space  Park 

Redondo  Beach,  California 


NAME 

activity/industry 

LOWERS,  Horace  B. 

U*  S,  Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

LUBELSKY,  Benjamin  Louis 

Lockheed  Missiles  & Space  Company 
Sunnyvale,  California 

MAAS,  Arthur  V. 

Bureau  of  Naval  Weapons  Resident  Representative 
F.  0*  Box  157 
Magna,  Utah 

MacCARLEY,  John  A. 

Lockheed- Calif ornia  Company 
Burbank,  California 

MACHONGA,  John  G. 

The  Ryle- National  Company 
1334  N.  Kostner  Avenue 
Chicago  51,  Illinois 

MADDEN,  James  H. 

Aerojet  General  Corporation 
F.  0,  Box  1947 
Sacto,  California 

MADDOX,  Wilkes  L* 

McDonnell  Aircraft  Corporation 
Box  5l6 

St«  Louis  66,  Missouri 

MAIKIN,  Samuel 

U.  8*  Army  Signal  Materiel  Support  Agency 
Fort  Monmouth,  New  Jersey 

MARQUARDT,  Lester  S. 

U,  8,  Naval  Missile  Center 
Point  Mugu,  California 

MARSHALL,  William  E. 

Minneapolis  Honeywell  Ordnance  Division 
600  2nd  Street,  North 
Hopkins,  Minnesota 

MARTIN,  William  J. 

General  Eynami cs/Convair 
3302  Pacific  Highway 
San  Diego  12,  California 

MASON,  John  E. 

Naval  Torpedo  Station 
Keyport,  Washington 

MASTERSON,  K.  S. 
RAEM,  USN 

Deputy  Chief,  Bureau  of  Naval  Weapons 
Constitution  Avenue,  N,W* 

Washington,  D,  C* 

MATTHES,  Walter  L. 

Martin  Company 
Orlando,  Florida 

MAY,  Britt  S. 
(X)L,  LFSAF 

Warfare  Systems  School 
Maxwell  Air  Force  Base,  Alabama 

MC  ADAM,  John  Cullen 

International  Electronic  Research  Corporation 
135  West  Magnolia  Boulevard 
Burbank,  California 

MC  AULIFFE,  William  I. 

AiResearch  Manufacturing  Company 
Division  of  the  Garrett  Corporation 
98  51  Sepul ve da  Boul e var d 
Los  Angeles,  California 

Ii82 


NAME 

activity/ industry 

MC  BRIDE,  Jack  E. 

Department  of  the  Navy 

l8th  & Constitution  Avenue,  N.W< 

Washington,  D,  C* 

MC  CAFFREY,  Frank  K, 

General  Dynamics/ Pomona 
Pomona,  California 

MC  CASLIN,  Louis  B. 

ARINC  Research  Corporation 
467  Hamilton  Avenue 
Palo  Alto,  California 

MC  CLAY,  Max  Ivan 

Bureau  of  Naval  Weapons  Representative 
Pomona,  California 

MC  CLEARY,  George  C* 
LT  COL,  USAF 

U.  S*  Air  Force  Inspector  General 
Norton  Air  Force  Base,  California 

MC  CLINTIC,  Robert  G. 

U.  S.  Army;  DA  Information 
6087  Sunset  Boulevard 
Hollywood,  California 

MC  CLURE,  Hulius  Y. 

General  Dynamics  Corporation 

P,  0.  Box  2672 

San  Diego  12,  California 

MC  OORMACK,  Charles  K. 

Oregon  Precision  Industries,  Inc* 
125  E,  34th  Street 
Albany,  Oregon 

MC  DONALD,  Joseph  J, 

EUWEFSFXTREADREP  Pacific 

NAS  North  Island 

San  Diego,  California 

MC  DUFFEE,  Paul  E. 

Phil co  Corporation 
We s ter ft  Development 
3875  Fabian  Way 
Palo  Alto,  California 

MC  GOWAN,  Allen  P- 

U.  S,  Naval  Ordnance  Laboratory 
Corona,  California 

MC  KAY,  Robert  R. 

Headquarters,  Air  Force  Logistics  Command 
Wright- Pat ter son  Air  Force  Base 
Dayton,  Ohio 

MC  LAUGHLIN,  Charles  E* 

Aeronautical  Systems  Division 
Wright-Pat ter son  Air  Force  Base,  Ohio 

MC  MASTER,  Alexander  C. 

General  Dynamics 
P,  0*  Box  1011 
Pomona,  California 

MC  MICHAEL,  Eugene 

Headquarters,  Department  of  the  Army 
Chief  Signal  Officer 
Washington,  D*  C. 

MELARA,  Philip 

Grumman  Aircraft  Engineering  Corporation 
Eethpage,  New  York 

MENELEY,  Carl  A, 

Goodyear  Aircraft  Corporation 
1210  Massillon  Road 
Akron,  Ohio 

MERKEL,  Albert  G* 

HJWE PSFLTR EADR EP  Pacific 

NAS  North  Island 

San  Diego,  California 

W3 


NAME 


ACTIVITY/  INKJSTRY 


MEYER,  Joseph  Simon 
MEYER,  Richard  A. 

MICHELS,  William  N. 
MILLER,  George  J. 

MOAN,  Obert  B. 
MONTGOMERY,  Paxil  B. 
MOORE,  Edwin  F. 
MOORE,  John  R, 

MOORE,  W.  R.,  Jr. 

MORELAND,  Robert  A. 
MORRIS,  Brooks  T. 

MORRISON,  Edward  J. 

MOTE,  Amos  M. 

LT  COL 


Litton  Systems,  Inc 
Woodland  Hills,  California 

General  Electric 
1000  Western  Avenue,  W. 

Lynn,  Massachusetts 

Headquarters,  SSD  AFSC 
Los  Angeles,  California 

Hughes  Aircraft  Company 
P.  0.  Box  2097 
Fullerton,  California 

Lockheed  Missiles  & Space  Company 
Sunnyvale,  California 

General  Dynamics/  Convair  Division 
San  Diego,  California 

North  American  Aviation 
McGregor,  Texas 

North  American  Aviation,  Inc. 
Autonetics  Division 
9150  E.  Imperial  Highway 
Downey,  California 

Administrative  Officer 
U.  S.  Naval  Air  Station 
NAS  North  Island 
San  Diego,  California 

U.  S.  Naval  Missile  Center 
Point  Mugu,  California 

California  Institute  of  Technology 
Jet  Propulsion  Laboratory 
4800  Oak  Grove  Drive 
Pasadena,  California 

Texas  Instruments,  Inc. 

6000  Lemmon  Avenue 
Dallas,  Texas 

APGC 

Eglin  Air  Force  Base,  Florida 


MOYNIHAN,  John  D. 


MRAZ,  John  Z. 


MUELLER,  Richard  Albert 
MULKERN,  John  R. 


MULOCK,  Richard  B. 


Sprague  Electric  Company 

Marshall  Street 

North  Adams,  Massachusetts 

Air  Force  Plant  Representative 
Air  Force  Systems  Command 
General  Eynamics/Astronautics 
San  Diego  12,  California 

General  Dynamics  Corporation 

Bureau  of  Naval  Weapons  Representatives 
(SPO),  LMSC 
Box  504 

Sunnyvale,  California 
Syl vania 

1100  Wehrle  Drive 
Buffalo,  New  York 


U8U 


NAME 


ACTIVITY/lNDUSTRY 


MURCHISON,  Weldon  0. 
MURPHY,  J.  F. 

MURPHY,  Ray  B. 

MUTER,  Joseph  J. 

MYERS,  Richard  H, 

NASSER,  Francis  E. 
NATELSON,  David  Myles 

Naubereit,  Henry 
NAVOY,  Anthony  J* 

NEAL,  William  W 
NEWBERG,  Eric  G. 

NEWBERRY,  Billy  Dean 
NIEWOOD,  Harry 

NOOTZ,  Willard  E* 
NORMAN,  Barry  R. 

NORRIS,  Roll in  H. 

NOSLEY,  Charles  C. 


U.  S*  Air  Force  Inspector  General 
Norton  Air  Force  Base,  California 

FW  Department 

U.  S.  Naval  Air  Station,  North  Island 
San  Diego,  California 

Bell  Telephone  Laboratories,  Inc. 

463  West  Street 
New  York  l4,  New  York 

United  States  Army 
OCOFT,  Building  T-7 
Washington  25,  D.  C. 

Hughes  Aircraft  Company 
Florence  & Teale  Streets 
Culver  City,  California 

U.  S.  Navy  Central  Torpedo  Office 
Newport,  Rhode  Island 

Loral  Electronics  Corporation 
825  Bronx  River  Avenue 
New  York,  New  York 

Aero  Electronic  & Electrical  Laboratory 
NAD  Crane,  Indiana 

General  Atomic  Division 
General  Dynamics  Corporation 
P.  0.  Box  608, 

San  Diego  12,  California 

The  Martin  Company 
Orlando,  Florida 

The  Boeing  Company 
Aerospace  Division 
P.  0.  Box  3707 
Seattle  24,  Washington 

General  Dynamics  Corporation 

American  Machine  & Foundry  Company 
11  Bruce  Place 
Stamford,  Connecticut 

Aeronautical  Systems  Division 
Wright  Patterson  Air  Force  Base,  Ohio 

Whle  Laboratories 
128  Maryland  St. 

El  Segundo,  California 

General  Electric  Company 
1 River  Road 
Schenectady,  New  York 

Sundstrand  Aviation 
2421  11th  Street 
Ro  ckf or d,  Illinoi s 


has 


NAME 

activity/industry 

NOWAK,  Lauratice  H. 

Lockheed  Propulsion  Company 
P.  0,  Box  111 
Redlands,  California 

NUCCI,  ELidio  J. 

STAFF  Assistant  Office  of  Maintenance 
Engineering 

Office  of  Director  of  Defense  Research  and 
Engineering 
Washington,  D,  C, 

NYBURG,  Willard  L* 

U,  S,  Navy 

OTCS,  JT*  Staff  J-5 

AE&GM  Branch 

NYLAND,  Frederic  S. 

The  Rand  Corporation 
1700  Main  Street 
Santa  Monica,  California 

OAKLEY,  Paul  D* 

Department  of  the  Army 

Diamond  Ordnance  Fuze  Laboratories 

Washington  25,  D,  C. 

0 1 CONNELL , Edison  E 

COMPACMISRAN 

O'  CONNELL,  Edmund  P. 

Gederal  Electric  Corporation 
621-671  Industrial  Avenue 
Iteramus,  New  Jersey 

O’KEEFE,  John  T, 

IT.  S*  Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

OLIVER,  Richard  Maxey 

Aerospace  Industries  Association  of 
America,  Inc, 

610  Shoreham  Boulevard 
Washington  5,  D,  C, 

OLON,  Frederick  A, 

U,  5.  Naval  Propellant  Plant 
Indian  Head,  Maryland 

OLSEN,  Emil  M, 

The  Garrett  Corporation 
9851  Sepulveda  Boulevard 
Los  Angeles  9,  California 

OLSON,  Curtis  L, 

USA  Engineering  Res  & Dev  Laboratories 
Ft , Bel voir,  Virginia 

O'NEAL,  Russell  D* 

The  Rendlx  Corporation 
110^  Fisher  Boulevard 
Detroit  2,  Michigan 

ORKIN,  Fredric  I* 

EL ectro -Mechanical  Research,  Inc* 
P,  0,  Box  304l 
Sarasota,  Florida 

ORR,  Robert  R, 

NASA  Geo  c*  Marshall  Space  Flight  Center 
Hunt  s vi 1 le , Alabama 

OTTOERE,  James 

Lockheed  Electronics  Company 
U,  S,  Highway  22, 

Plainfield,  New  Jersey 

PABST,  William  R,,  Jr, 

Bureau  of  Naval  Weapons 
Washington,  D,  C, 

486 


HAKE 

ACTIVITY/ INDUSTRY 

PAIGE,  Hilliard  W. 

General  Electric  Company 
Missile  & Space  Vehicle  Department 
Pi  0.  Box  8555 

Philadelphia  1,  Pennsylvania 

PAINTER  , Brookman  R. 

Western  Regional  Officer 
Army  Signal  Supply  Agency 
125  South  Grand 
Pasadena,  California 

PALMED  , Hi  chard  E. 

The  Garrett  Corporation 
Ai Re search  Manufacturing  Company 
9851  Sepulveda,  Los  Angeles 
Los  Angeles,  California 

PANG,  KaLun 

BUWEPSFLTREAIBEP  i^cific 

NAS  North  Island 

San  Diego,  California 

PARK,  August  R, 

GPI  Librascope  Division 
Aerospace  Branch 
1370  Encinitas  Road 
San  Marcos,  California 

FEARLIN,  Leo  Hi 

Lockheed  California  Company 
Pi  0,  Box  551 
Burbank , Cal i f or ni a 

PENNELL,  Alfred  E. 

Motorola,  Inc.  MED/WC 
8201  E.  McDowell  Road 
Scottsdale,  Arizona 

FERAPNO,  G.  S. 

Headquarters,  tf*  S.  Air  Force 
Washington,  D<  C. 

PERRIN,  Robert  Wayne 

Gen  er al  Dynam i c s/ As  tr ona u ti c s 
San  Diego,  California 

PERRY,  Lucius  A.,  Jr. 
COL  TJSAF 

6595th  Aerospace  Test  Wing,  AFSC 
Vandenberg  Air  Force  Base,  California 

PETERSEN,  Clifford  C. 

Motorola,  Inc, 
Scottsdale,  Arizona 

PETERSON,  Mell  A. 

Northrop  Corporation 
9744  Vlil shire  Boulevard 
Beverly  Hills,  California 

PETERSON,  Robert  L. 

Opn  Analysis,  Headquarters  SAC 
Offutt  Air  Force  Base,  Nebraska 

PEWITT,  James  D. 
CAPT,  USAP 

SBAMA 

Norton  Air  Force  Base,  California 

PICKER,  Walter  J. 

GPI  Librascope  Division 
808  Western  Avenue 
Glendale,  California 

PICKREL,  Evan  Wilken 

Douglas  Aircraft  Company 
Santa  Monica,  California 

PILIGIAN,  Murad  S. 

U,  S.  Air  Force  ESD 
L*  G.  Hhnscom  Field 
Bedford,  Massachusetts 

NAME 

PLISKIN,  Daniel 
POLLOCK,  Robert  D. 

PONTIOUS,  Harry  Lowell 
PORTER,  David  C. 

PORTER,  Roy  Vernon 

PORTNER,  Ferris  Dale 
POUNDER,  Edwin 
POWELL,  Harry  Rutter 

POWERS,  Aaron  B. 
PROCTOR,  Phimister  B, 

PUTT,  Gldyn  H. 

RABEY,  Duncan  W. 
RAGSDALE,  Milton  M. 

RAPP,  Edward  G. 

RASNICK,  Ben 
RAYMOND,  George  A. 

REED,  Douglas  A. 

REEVE,  Edward  A. 


ACTIVITY/ INDUSTRY 

Grumman  Aircraft  Engineering  Corporation 

The  Marquardt  Corporation 
2771  N.  Carey  Avenue 
Pomona,  California 

North  American  Avn.  Inc. 

Downey,  California 

The  Boeing  Company 
P*  0.  Box  3707 
Seattle  2k,  Washington 

Office  Chief  of  Research  & Development,  DA 
Room  3E-364 
The  Pentagon 
Washington,  D.  C. 

U.  S.  Naval  Propellant  Plant 
Indian  Head,  Maryland 

Jet  Propulsion  Laboratory 
Pasedena,  California 

Space  Technology  Laboratory,  Inc. 

P.  0.  Box  95001 

Los  Angeles  45,  California 

U.  S.  Naval  Ordnance  Laboratory 
Corona,  California 

Hughes  Aircraft  Company 
Florence  & Teale  Streets 
Culver  City,  California 

Lockheed  Missiles  & Space  Company 
P.  0.  Eox  504 
Sunnyvale,  California 

6595th  Aerospace  Test  Wing  AFSC 
Vandenberg  Air  Force  Base,  California 

ARINC  Research  Corporation 
1700  K Street  N.  W. 

Washington,  D.  C. 

Aerojet  General  Corporation 
P.  0.  Box  1947 
Sacramento,  California 

COMPACMISRAN 

Remington  Rand  Uni vac 
St.  Paul  l6,  Minnesota 

AiResearch  Manufacturing  Company  of  Arizona 
k02  South  36th  Street 
Phoenix,  Arizona 

I EM  Corporation 
Owego,  New  York 


REITER,  Harry  L.  RADM 


The  Pentagon 
Washington,  D.  C. 


REITER,  Philip 


Aerojet-General  Corporation 


NAME 

REYNOLDS,  Robert  Max 

RICHARDSON,  Norval  Ralph. 
RICHMOND,  Donald  Eugene 
RILEY,  William  E. 

RIORDAN,  John  J. 

RISINGER,  Ben  Weir 

RITCHEY,  Harold  W* 

RITTER,  Darrell  LLoyd 
BOAT,  Howard  Levi 
ROBERTSON,  Wilson  Bee 

ROBISON,  Gerson  H. 

ROGERS,  Martin  W. 

RORK,  Philip  Joseph 

ROSS,  Chandler  C. 
ROTHSTEIN,  Arnold  A* 
ROZETT,  Lawrence 

RUMLEY,  Darrell  Kieth 
RUSSELL,  Charles  Woodrow 


ACTIVITY/INDUSTRY 

Force  Material  Officer 
Staff,  COMNAVAIRPAC 
NAS  North  Island 
San  Diego,  California 

BUWEPSFLTREADREP  Pacific 

NAS  North  Island 

San  Diego,  California 

Texas  Instruments,  Inc. 

6000  Lemmon  Avenue 
Dallas,  Texas 

Battelle  Memorial  Institute 
505  King  Avenue 
Columbus,  Ohio 

Office  of  the  Secretary  of  Defense 
Room  4b 6Qh 
The  Pentagon 
Washington,  D.  C. 

Ling  Tern co  Vought 
Aeronautics  Division 

Box  5907 

Dallas,  Texas 

Thiokol  Chemical  Corporation 
33^*0  Airport  Road 
Ogden,  Utah 

U.  S.  Naval  Ordnance  Test  Station 
China  Lake,  California 

AC  Spark  Plug  Division,  GMC 
Milwaukee  1,  Wisconsin 

Bureau  of  Naval  Weapons  Representative 
Her  cities  Powder  Company 
Magna,  Utah 

Sperry  Gyroscope  Company 
Great  Neck,  New  York 

Manager,  Product  Assurance 
MM&SR  RCA 

Moorestown,  New  Jersey 

QM  Research  & Engineering  Command 
Kansas  Street 
Natick,  Massachusetts 

Aerojet-General  Corporation 
Azusa,  California 

AVCO  Corporation 
Wilmington,  Massachusetts 

Ford  Instrument  Company 
31-10  Thomson  Avenue 
L.I.C.,  New  York 

McClellan  Air  Force  Base 
California 

Republic  Aviation  Corporation 
Farmingdale,  New  York 


1*89 


NAME 

ACTIVITY/INDUSTRY 

SADLER,  Robert  E. 

Air  Force  Communications  Service 
Scott  Air  Force  Base,  Illinois 

SAMUELS ON,  Robert  Eugene 

Motorola  Inc,,  MED/WC 
8201  East  McDowell  Road 
S c 0 1 1 s dale , Arizona 

SARNO,  Polo  M. 

Bell  Aero systems  Company 
P,  0,  Box  1 
Buffalo  5>  New  fork 

SCARBOROUGH,  Omer  George 

General  Dynami c s /Co n vai r 
3302  Pacific  Highway 
San  Diego,  California 

SCARLET,  Neil  Joseph 

ARINC  Research  Corporation 
467  Hamilton  Avenue 
Palo  Alto,  California 

SCHAEFER,  Earl  Homer 

North  American  Aviation 
Downey,  California 

SCHMID,  Ervin  R* 

Bell  Telephone  Laboratory,  Inc. 
555  Union  Boulevard 
Allentown,  Pennsylvania 

SCHARFFENBERGER,  George  T, 

Litton  Systems,  Inc, 

336  North  Foothill  Road 
Beverly  Kills,  California 

SCHIAVONE,  Daniel  Charles 

Martin  Company 

SCHIBHSER,  George  Anthony 

Bell  Telephone  Laboratories,  Inc, 
Whippany  Road 
Whippany,  New  Jersey 

SCHLIE,  Walter 

Headquarters,  USAF 
The  Pentagon 
Washington,  D.  C. 

SC  HR I EVER , Bernard 

AFSC  Andrews  Air  Force  Base,  Maryland 

SCHWEITZER,  Dean  C, 

Maxwell  Air  Force  Base,  Alabama 

SCHWARTZ,  R.  N. 

WSEG  OSD 

Washington,  D.  C. 

SCHWINGE,  Heinz  T. 

U,  S,  Air  Force 

AFMDO  Holloman  Air  Force  Base,  New  Mexico 

SCREEN,  Lorin  Burton 

Department  of  the  Army 
Washington  25,  D.  C, 

SELDQN,  Mark  Robert 

General  Dynamics/Astronautics 

P*  0,  Box  1128 

San  Diego  12,  California 

SENATOR,  Frank  E. 

Operations  Research,  Inc. 
225  Santa  Monica  Boulevard 
Santa  Monica,  California 

SEWALL,  Richard  Murrell 

Naval  Air  Technical  Services  Facility 

5801  Tabor  Road 

Philadelphia  20,  Pennsylvania 

NAME 

activity/ industry 

SEYLER,  Lesley  Leroy 

General  Atomic  Division 
General  iynamics  Corporation 
F,  0,  Box  60B 
San  Diego,  California 

SHAPERO,  Albert 

Stanford  Research  Institute 
333  Ravenswood  Avenue 
Menlo  Park,  California 

SHARP,  Robert  G. 

Ryan  Aero  Company 

Division  of  Ryan  Aero  Company 

Lindbergh  Field 

San  Diego  12,  California 

SHEA,  Joseph  F* 

National  Aeronautics  & Space  Administration 
Washington,  D*  C* 

SHERIDAN,  John  P. 

Sprague  Electric  Company 
2321  Wisconsin  Avenue,  N.W, 
Washington  7,  D<  C, 

SHIELDS,  Robert  Verdean 

CONVAIR,  Division  of  General  Dynamics 
San  Diego,  California 

SHI  NAF  ELT,  Thoma  s W , 

Aeronautics  & Missiles  Division 
Chance  Vought  Corporation 
P.  0.  Box  590? 

Dallas,  Texas 

SHUKEN,  Howard  Leonard 

Space  General  Corporation 
9200  East  Flair 
El  Monte,  California 

SHUPP,  Raymond  W- 

U*  S»  Naval  Ordnance  Laboratory 
Corona,  Cal i f ornia 

SIMONS,  Bernard  Joseph 

General  Dynamics/ CONVAIR 

F*  0.  Box  1952 

San  Diego  12,  California 

SIMPSON,  Woman  Henry 

General  Dynamic s/Fort  Worth 
F.  0*  Box  ?48 
Fort  Worth,  Texas 

SIMPSON,  Paul  Kellogg 

Sanders  Associates,  Inc* 
Nashua,  New  Hampshire 

SIMS,  Richard  E» 

Air  Force  Unit  Post  Office 
Los  Angeles  45,  California 

SMALL,  Arnold  M. 

Hughes  Aircraft  Company 
P.  0*  Box  2097 
Fullerton,  California 

SMILEY,  Robert  W. 

Department  of  the  Navy, 

Bureau  of  Naval  Weapons  Representative 

spo,  msc 

F*  0,  Box  504 
Sunnyvale,  California 

SMALL,  John  G * 

California  Institute  of  Technology 
Jet  Propulsion  Laboratory 
4800  Oak  Grove  Drive 
Pasadena,  California 

NAME 

SMITH,  Levering 

SMITH,  M.  C. 

SMITH,  Raymond  A. 

SOSDIAN,  John  P. 
SPANDORFER,  Lester  M. 

SPEER,  Ivan  E. 

SPERLING,  Philip  I* 

SPIEGEL,  Joseph 

STARK,  Edward 
STATLER,  Clifford 

STEELMAN,  Robert  J, 
STEEN,  Jermone  R. 

STEGENGA,  Frederick  L. 

STEIGER,  Robert  J. 
STEINBERG,  Alvin 

STEPHENSON,  Franklin  A. 


ACTIVITY/ industry 

Special  Projects  Office 
Department  of  the  Navy 
Washington,  D.  C. 

Headquarters 
U.  S.  Air  Force 
Washington,  D.  C, 

Radio  Corporation  of  America 
Astro- Electronics  Division 
Princeton,  New  Jersey 

U.  S,  Army  Signal  Reserve  & Dev  Laboratory 
Fort  Monmouth,  New  Jersey 

Remington  Rand  Uni vac 
Division  of  Sperry  Rand 
Box  500 

Blue  Bell,  Pennsylvania 

AiResearch  Manufacturing  Company  of  Arizona 
k02  South  36th  Street 
Phoenix,  Ari zona 

Office  of  the  Surgeon  General 
Department  of  the  Army 
Main  Navy  Building 
Washington  25,  D.  C. 

The  Mitre  Corporation 
P.  0.  Box  208 
Bedford,  Massachusetts 

Picatinny  Arsenal 
Dover,  New  Jersey 

Uni  dynamics 
Box  231 

Marion,  Illinois 

U.  S.  Navy  Electronics  Laboratory 
San  Diego  52,  California 

Syl vania  Electric  Products,  Inc. 

Subsidiary  General  Telephone  & Electronics 
Corporation 
40  Sylvan  Road 
Waltham  5^,  Massachusetts 

Douglas  Aircraft  Company,  Inc. 

3855  Lakewood  Boulevard 
Long  Beach,  California 

COMPACMISRAN 

Army  Ordnance  Missile  Command 
Redstone  Arsenal,  Alabama 

General  Dynami cs / CONVAIR 

P.  0.  Box  1950 

San  Diego  12,  California 


h92 


NAME 

STERNBERG,  Alexander 

STERRETT,  John  K. 

STITCH,  Morton 
ST  JAMES,  Louis  N. 

ST  LAURENT,  Paul  G. 

STOLPER,  Edwin  F. 

STRICH,  Robert 

STROFE,  Walmer  E. 

STUART,  Henry  J. 

STUCKEY,  Loyd  C. 

STURTEVANT,  Oliver  W. 

SULLIVAN,  E*  J. 

MAJ  USAF 

SUMERLIN,  William  T. 

SUSAG,  Millins  P. 

SUTOROWSKI,  E. 

SWEITZER,  Harry  Frederick,  Jr, 

SWANSON,  Douglas  William 
SWIFT,  Edward  C. 

TALL,  Max  M, 


ACTIVITY/ INDUSTRY 

Radio  Corporation  of  America 
Astro -Electronic  Products  Division 
Princeton,  New  Jersey 

DCS/C&E  Headquarters,  Norad 
Ent  Air  Force  Base,  Colorado 

McDonnell  Aircraft  Corporation 
St,  Louis  66,  Missouri 

Bell  Telephone  Laboratories,  Inc, 
Whippany,  New  Jersey 

U.  S.  Navy  Central  Torpedo  Office 
Newport,  Rhode  Island 

Sikorsky  Aircraft 
North  Main  Street 
Stratford,  Conne  cti cut 

Cannon  Electric  Company 
3208  Humboldt  Street 
Los  Angeles  31,  California 

Director  of  Research 
Office  of  Civil  Defense 
Department  of  Defense 
Battle  Creek,  Michigan 

General  Eynamics/Electronics 
3302  Pacific  Highway 
San  Diego,  California 

General  Dynami cs/ CONVAIR 
San  Diego,  California 

INM  LA 

Headquarters,  SBAMA 

Norton  Air  Force  Base,  California 

McDonnell  Aircraft  Corporation 

P*  0*  Box  516 

St.  Louis  66,  Missouri 

Pratt  & Whitney  Aircraft 

kOO  Main  Street 

East  Hartford,  Connecticut 

FW  Department 

NAS  North  Island 

San  Diego,  California 

Raytheon  Company 
Sudbury,  Massachusetts 

General  Dynamics  Corporation 

Pratt  & Whitney  Aircraft 

400  Main  Street 

East  Hartford,  Connecticut 

Radio  Corporation  of  America 
Defense  Electronic  Products 


h$3 


NAME 

ACTIVITY/ INDUSTRY 

TAYLOR,  Richard  J* 

Aerospace  Defense  Systems  Officer 
SSD 

Los  Angeles  45,  California 

TAYLOR f Robert  L. 

Radio  Corporation  of  America 
Junction  Routes  3 & 62 
Burlington;  Massachusetts 

TERRY,  Joseph  E* 

U,  S*  Naval  Ordnance  Laboratory 
Corona;  California 

THOMAS,  James  W. 

Vitro  Laboratories 
1400  Georgia  Avenue 
Silver  Spring,  Maryland 

THOMPSON;  COvid  E* 

Hercules  Powder  Company 
Bacchus  Works 
Magna,  Utah 

THOMPSON,  Francis  A 

Martin  Denver 
Water ton  Plant 
Denver,  Colorado 

THORNE^  Charles  M* 

U*  S,  Naval  Torpedo  Station 
Keyport,  Washington 

THYBONY,  William  W. 

OSD 

Wa  shi ng ton,  B * C , 

TOBIASSEN,  Thoralph  J * 

ASD 

Wright  Patterson  Air  Force  Base,  Ohio 

TOMAC,  Charles  J, 

BOWEPSFLTREADREP  fticific 

NAS  North  Island 

San  Diego,  California 

TOWNSEND,  Alan  R. 

Allison  Division 
General  Motors  Corporation 
P.  0.  Box  8g4 
Indianapolis  6,  Indiana 

TREMAINE,  Stanley  A* 

Deputy  Commander,  Systems  Management 
Aeronautical  Systems  Division 
Wright- Patterson  Air  Force  Base,  Ohio 

TRGXEL,  David  I* 

Radio  Corporation  of  America,  Section  4l6 
Reliability  & Maintainability  Techniques 
Bldg*  1-6-6 
Camden  2,  New  Jersey 

TOPPER;  Fred  A. 

U>  S*  Army  Arty  & Msl  School 
Guided  Missile  Department 
Fort  Sill,  Oklahoma 

TYDON,  Walter 

AEROSPACE 

TYLER;  Charles  C, 

Western  Electric  Company 
3300  Lexington  Road 
Winston-Salem,  North  Carolina 

TYNDALE,  Harold  E, 

Bureau  of  Naval  Weapons  Representative 
1100  W,  Hollyvale 
Azusa,  California 

UDICK,  Mitchell  L, 

Bureau  of  Naval  Weapons  Representative 
Lockheed 

Burbank , Cal i f or ni a 

NAME 

ACTrVITY/lNEUSTRY 

ULAMj  Frederick  Anthony 

U.  S.  Naval  Missile  Center 
Point  Mugu,  California 

ULANS,  Roman  Irodian 
COL,  USA 

U*  S*  Army  Signal  Materiel  Support  Agency 
Fort  Monmouth,  New  Jersey 

VANDERHAMM,  Roland  L. 

Collins  Radio  Company 
5225  C Avenue  N.E. 
Cedar  Rapids,  Iowa 

VAN  TIJN,  David  E. 

ARIMC  Research  Corporation 
1700  K Street  N*W* 
Washington,  D,  C* 

VAUGHN,  William  R. 

Atomics  International 
89OO  DeSoto  Avenue 
Canoga  Park,  California 

VERNON,  William  B. 

The  Eoeing  Company 
Box  3707 

Seattle  24,  Washington 

VIANNEf,  Edmond  JR. 

Sikorsky  Aircraft 
Stratford,  Conne  ct 1 cut 

VICKERY,  A.  E, 

Executive  Officer 

U,  S*  Naval  Air  Station,  North  Island 
San  Diego,  California 

VI DALE,  Marcello  Levi 

Arthur  D.  Little,  Inc, 

35  Acorn  Park 
Cambridge,  Massachusetts 

VILLERE,  Allard  C, 

General  Dynamics 
Pomona,  California 

VOGEL,  Theodore  A. 

General  Dynamics 
Pomona,  California 

VON  G0ERAED 

FMC  Corporation 
1185  Coleman  Avenue 
Santa  Clara,  California 

WAG  NON,  Frederick  W. 

NASA  Marshall  Space  Flight  Center 
Huntsville,  Alabama 

WALDRON,  Stoddard  S. 

Arthur  D,  Little,  Inc. 
1424  - 4th  Street 
Santa  Monica,  California 

WALES,  Henry  M* 

American  Bosch  Arma  Corporation 
9460  Wile hire  Boulevard 
Beverly  Hills,  California 

WALKER,  Audrin  R, 

Aeronautical  Systems  Division 
Wright -Batter son  Air  Force  Base,  Ohio 

WANGGAARD,  Lars,  Jr. 
CDR,  USN 

BUWEPSFLTR EA DR EF  Pacific 

NAS  North  Island 

San  Diego,  California 

WARNER,  William  K. 

North  American  Aviation,  Inc, 
Space  & Information  Division 
Downey,  California 

NAME 


WARREN,  Robert 
WEARY,  Neil  S. 

WEBER,  John  Gilbert 
WEINBERG,  Lawrence 
WELK,  Horace  B.,  Jr, 
WENGER,  Floyd  E. 

WERGEN,  James  H. 

COL  USAF 

WHITE,  Samuel,  Jr. 

WHITEMAN,  Irvin  R. 
WILCOX,  Allison  11 J” 

WILEY,  Franklyn  Louis 

WILLIAMS,  Howell  Powell 

WILLIS,  Galen  N. 

WILSON,  Keith  S. 


ACTIVITY/INDUSTRY 

U.  S.  Naval  Underwater  Ordnance  Station 
Newport,  Rhode  Island 

Joint  Chiefs  of  Staff 
Space  Ss  Weapons  System  Branch 
The  Pentagon 
Washington,  D.  C. 

U.  S.  Naval  Ordnance  Laboratory 
Corona,.  California 

Lockheed  Propulsion  Company 
Redlands,  California 

U.  S.  Naval  Air  Development  Center 
Johns vi lie,  Pennsylvania 

Headquarters 

Air  Force  Systems  Command 
Andrews  Air  Force  Base, 

Washington  25,  D.  C. 

Aeronautical  Systems  Division 
Wright -Patterson  Air  Force  Base,  Ohio 

Sikorsky  Aircraft 
North  Main  Street 
Stratford,  Connecticut 

CEIR,  Inc. 

Beverly  Hills,  California 

Ryan  Aeronautical  Company 

Lindbergh  Field 

San  Diego  12,  California 

California  Computer  Products,  Inc. 

8714  deta  Street 
Downey,  California 

General  Dynamics/ CO NVAIR 
3302  Pacific  Highway 
San  Diego,  California 

The  Boeing  Company 
7755  Fast  Marginal  Way 
Seattle,  Washington 

Lockheed-Georgia  Company 
Marietta,  Georgia 


WINTERS,  Harold  Melvin  The  Technical  Material  Corporation 

WOLMAN,  William  W,  NASA  - GODDARD 

Greenbelt,  Maryland 

WOOD,  William  P,  Martin  Company 

Orlando,  Florida 

WOODS,  Mark  W.  OPTEVFOR 

CAPT  USN  Norfolk,  Virginia 


YAZDZIK,  Thaddeus  R. 


Sikorsky  Aircraft 
Stratford,  Connecticut 


NAME 


ACTIVITY/IN  DUSTRY 


YOSK,  Earl  K. 

YOST,  Harold  C. 

YOUNG,  John  W. 

YOUNG,  Malcolm  A. 
YOUNG,  Paul  A 

£AYACK,  nelson 

ZIERj  Harold  G. 
ZWERLIWG,  Stanley 


Defense  Supply  Agency 
Washington  25 , D*  C. 

AC  Spark  ELug  Division 
GMC 

Milwaukee  1,  Wisconsin 

Worth  American  Aviation,  Inc* 

International  Airport 
Los  Angeles  9,  California 

International  Business  Machines  Corporation 
Owego,  New  York 

Sperry  Utah  Company 
322  Worth  2100  West 
Salt  Lake  City,  Utah 

Wyle  laboratories 
128  Maryland  Street 
EL  Segundo,  California 

Army  Ordnance  Missile  Command 
Bedstone  Arsenal,  Alabama 

General  Electric  Company 
3198  Chestnut  Street 
Riiladelphia,  Pennsylvania 


For  sale  by  the  Superintendent  of  Document,  C,S,  Government  Printing  Office 
Washington  25,  D,C,  - Price  $2.75 


h97 


* U.  S,  GOVERNMENT  PRINTING  OFFICE  ; l $63  O - BS219? 


